Mastering Operational Risk by Tony Blunden John Thirlwell PDF

MASTERING MASTERING
MASTERING OPERATIONAL RISK

A practical guide to understanding
OPERATIONAL MASTERING operational risk and how to manage it
OPERATIONAL
RISK OPERATIONAL RISK
A practical guide to understanding
operational risk and how to manage it RISK mastering A practical guide to understanding
operational risk and how to manage it
Operational
Tony Blunden is an Executive Director of Chase Operational risk arises in all businesses. It
Cooper, a risk management solutions company that A practical guide to understanding is a broad term and can relate to internal
focuses on the financial sector to provide solutions
for enterprise risk, operational risk, Sarbanes–Oxley,
operational risk and how to manage it processes, people and systems, as well
as external events. All listed companies,
credit and market risk. He heads its consultancy
risk
charities and the public sector must make risk
division. Tony’s journalism includes numerous articles
Operational risk is a constant concern for all businesses. It goes far beyond operations judgements and assessments and company
on operational risk issues and related matters for
Operational Risk and Compliance, New Banking and process, to encompass all aspects of business risk, including strategic and managers have an increasing responsibility to
Frontiers, The Scottish Banker and Complinet. He reputational risks. Within financial services, it became codified by the Basel Committee ensure that these assessments are robust and
is the co-author of Risk-Based Compliance (2001) on Banking Supervision in the 1990s. It is something that needs to be taken seriously that risk management is at the heart of their
(Butterworths) and has contributed to Mastering by all those involved in running, managing and leading companies. organisations.
Derivatives (First Ed. 1996/Second Ed. 2003/Third Ed.
2006) (FT Prentice Hall), The Euromoney Derivatives Mastering Operational Risk is a comprehensive guide which takes you from the basic • P rovides an invaluable framework for the In this practical guide, Tony Blunden and
and Risk Management Handbook 2001/02 (2001)
(Euromoney), Operational Risk: Regulation, Analysis
elements of operational risk, through to its advanced applications. Focusing on
practical aspects, the book gives you everything you need to help you understand what
management of operational risk John Thirlwell, recognised experts in risk
management, show you how to manage
and Management (2002) (FT Prentice Hall) and
Managing Business Risk (2003) Kogan Page Limited. operational risk is, how it affects you and your business and provides a framework for
managing it.
• Helps you identify and manage risk appetite operational risk and show why operational risk
management really will add benefits to your
John Thirlwell has worked in financial services for
over 30 years and for the last 15 years has been Mastering Operational Risk:
• Provides a practical approach to applying business.
on the boards of a number of banks and insurance

companies as both an executive and non-executive
• Shows you how to make the business case for operational risk, and how to stress testing to operational risk Mastering Operational Risk includes:
develop effective company-wide policies • The business case for operational risk
director. He was a Director of the British Bankers’
• Gives you a business approach to modelling
BLUNDEN &THIRLWELL
Association where he was heavily involved in • Covers the essential basic concepts through to advanced management practices • Risk and control assessment
negotiating the current operational risk regulatory
framework for banks and founded and chaired the
• Uses examples and case studies and explains how to avoid mistakes
operational risk • How to use operational risk indicators
• Reporting operational risk
BBA’s Global Operational Loss Database. He is a
• Provides scenario analysis and modelling techniques for you to apply to your
Fellow of the Institute of Operational Risk. He has business • Modelling and stress-testing operational risk
written a regular column for Operational Risk and • Business continuity and insurance
Regulation magazine, articles on risk issues for Risk,
• Managing people risk
The Treasurer, PFI Journal and the Chartered Institute
of Bankers. He was the co-author of A Guide to • Containing reputational damage
Business Continuity Management (2001) (BBA/KPMG),
senior reviewer of Operational Risk Handbook (2001–4)
(Chartered Institute of Securities & Investment), and
has written chapters for Advanced Operational Risk
(2002) and Basel Handbook (2003)(Risk Waters).
FINANCE
Visit our website at

www.pearson-books.com
Visit our website at

www.pearson-books.com TONY BLUNDEN & JOHN THIRLWELL
CVR_BLUN7323_01_SE_CVR.indd 1 19/7/10 13:03:17

Mastering
Operational Risk
A01_BLUN7323_01_SE_FM.indd 1 29/06/2010 09:53

In an increasingly competitive world, we believe it’s quality of
thinking that gives you the edge – an idea that opens new
doors, a technique that solves a problem, or an insight that
simply makes sense of it all. The more you know, the smarter
and faster you can go.
That’s why we work with the best minds in business and finance
to bring cutting-edge thinking and best learning practice to a
global market.
Under a range of leading imprints, including Financial Times

Prentice Hall, we create world-class print publications and
electronic products bringing our readers knowledge, skills and
understanding, which can be applied whether studying or at work.
To find out more about Pearson Education publications, or tell us

about the books you’d like to find, you can visit us at
www.pearsoned.co.uk
A01_BLUN7323_01_SE_FM.indd 2 29/06/2010 09:53

Mastering
Operational Risk
tony blunden
john thirlwell
A01_BLUN7323_01_SE_FM.indd 3 29/06/2010 09:53

PEARSON EDUCATION LIMITED
Edinburgh Gate
Harlow CM20 2JE
Tel: +44 (0)1279 623623
Fax: +44 (0)1279 431059
Website: www.pearsoned.co.uk
First published in Great Britain in 2010
© Pearson Education Limited 2010
The rights of Tony Blunden and John Thirlwell to be identified as authors of this
work have been asserted by them in accordance with the Copyright, Designs and
Patents Act 1988.
Pearson Education is not responsible for the content of third party internet sites.
ISBN: 978-0-273-72732-3
British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data

Blunden, Tony.
Mastering operational risk / Tony Blunden, John Thirlwell.
p. cm.
Includes index.
ISBN 978-0-273-72732-3 (pbk.)
1. Risk management. 2. Operational risk. I. Thirlwell, John. II.
Title.
HD61.B547 2011
658.15’5--dc22
2010022299
All rights reserved; no part of this publication may be reproduced, stored in

a retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise without either the prior
written permission of the publishers or a licence permitting restricted copying
in the United Kingdom issued by the Copyright Licensing Agency Ltd,
Saffron House, 6–10 Kirby Street, London EC1N 8TS. This book may not be
lent, resold, hired out or otherwise disposed of by way of trade in any form of
binding or cover other than that in which it is published, without the prior
consent of the Publishers.
10 9 8 7 6 5 4 3 2 1
14 13 12 11 10
Typeset in 11.5/13.5 pt Garamond by 30

Printed and bound in Great Britain by Ashford Colour Press Ltd, Gosport, Hampshire
A01_BLUN7323_01_SE_FM.indd 4 29/06/2010 09:53

For Angela and Fran
A01_BLUN7323_01_SE_FM.indd 5 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 6 29/06/2010 09:53
Contents
Preface xiii
Acknowledgements xv
The authors xvi
Part 1 Setting the scene 1
1 What is operational risk? 3

The road to operational risk 4
What do we mean by operational risk? 7
The boundary issue 11
Why operational risk is different from other risks 12
Cause and effect 15
Measurement and management of operational risk 15
Challenges of operational risk management 17
Introducing the framework 22
2 The business case for operational risk management 25

Introduction 26
Operational risk management as a marketing tool 26
Benefits of getting operational risk management right 27
Benefits beyond the framework 31
Business optimisation 33
Part 2 The framework 35
3 Governance 37
Introduction 38
Operational risk management framework 39
Operational risk policy 42
Operational risk appetite 43
Roles and responsibilities statements 55
Glossary 60
Timeline 62
vii
A01_BLUN7323_01_SE_FM.indd 7 29/06/2010 09:53

Contents
4 Risk and control assessment 65

Aims of risk and control assessment 66
Prerequisites 67
Basic components 69
Avoiding common risk identification traps 70
Assessing risks 76
Owners 81
Identifying controls 83
What a risk control assessment looks like 88
Action plans 88
How to go about a risk and control assessment 90
Using risk and control assessments in the business 92
Why do risk and control assessments go wrong? 93
Summary 93
5 Events and losses 95

Introduction 96
What is meant by an event 96
Data attributes 99
Who reports the data? 107
Reporting threshold 107
Use of events 108
External loss databases 110
Using major events 114
Timeliness of data 114
Summary 114
6 Indicators 115
Introduction 116
Key performance indicators and key risk indicators 117
Establishing KRIs and KCIs 118
Targets and thresholds 121
Periodicity 123
Identifying the leading and lagging indicators 124
Action plans 125
Dashboards 125
Summary 126
viii
A01_BLUN7323_01_SE_FM.indd 8 29/06/2010 09:53

Contents
Part 3 advancing the framework 127
7 Reporting 129
Introduction 130
Common issues 130
Basic principles 132
Report definition 135
Reporting styles and techniques 136
Dashboard reporting 141
Summary 143
8 Modelling 145
Introduction 146
Previous approaches to operational risk modelling 147
Towards an inclusive approach 155
Distributions and correlations 157
Practical problems in combining internal and external data 158
Confidence levels and ratings 161
Obtaining business benefits from capital modelling 162
Obtaining business benefits from qualitative modelling 166
Summary 171
9 Stress tests and scenarios 173

Introduction 174
What are they and what’s the difference between them? 175
Why use scenarios? 176
Problems with scenarios … 177
… and how to do them better 179
Governance 179
Developing a set of practical scenarios 181
Preparing for the extreme event 187
Typical problems following scenario development 188
The near death experience 189
Applying scenarios to operational risk management data 190
Summary 196
Part 4 mitigation and assurance 197
10 Business continuity 199

Introduction 200
Business continuity and risk management 201
Policy and governance 202
ix
A01_BLUN7323_01_SE_FM.indd 9 29/06/2010 09:53

Contents
Business impact analysis 203

Threat and risk assessment 204
The business continuity strategy and plan 206
Testing the plan 210
Maintenance and continuous improvement 213
11 Insurance 215
Operational risk and insurance 216
Insurance speaks to cause 216
Buying insurance 217
The insurance carrier 222
Alternative risk transfer mechanisms 222
Conclusion 226
12 Internal audit 227

The three lines of defence 228
Independent assurance 229
Internal and external audit 231
Internal audit and risk management oversight 233
The role of internal audit 234
Audit committees 239
Effective internal audit 241
Part 5 Practical operational risk management 245
13 Outsourcing 247
What is outsourcing? 248
Outsourcing – transforming operational risk 248
Deciding to outsource 249
The outsourcing project – getting it right at the start 252
Risk assessment 253
Some tips on the request for proposal 255
Selecting the provider 255
Some tips on service level agreements 260
Managing the project 262
Exit strategy 266
14 People risk 269

Introduction 270
The people environment 270
Mitigating people risks 275
A01_BLUN7323_01_SE_FM.indd 10 29/06/2010 09:53

Contents
Succession planning 282

The human resources department 284
Key people risk indicators 285
15 Reputation risk 289

What is reputation? 290
Stakeholders 291
Reputation and brand 292
What is reputation risk? 292
Valuing reputation and reputation risk 292
How can reputation be damaged? 294
A framework for reputation risk management 298
Reputation risk controls 303
Tracking reputation risk 304
Managing intermediary risk 305
It won’t happen to me: what to do when it does 307
Resources and further reading 313

Index 315
xi
A01_BLUN7323_01_SE_FM.indd 11 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 12 29/06/2010 09:53
Preface
Risk management has taken a knock over the past few years, as the financial
crisis has unfolded. But perhaps the problem was not so much a failure of risk
management as such, as its absence from strategic and other decisions.
That is why we believe Mastering Operational Risk is both timely and a
reminder that good risk management is fundamental to good business manage-
ment. And, as we show in Chapter 2, good operational risk management can
bring real business benefits. It is as much about opportunities as it is about
threats: so it demands imagination and the flexibility to adapt to a rapidly
changing risk environment.
Operational risk emerged as a risk discipline in its own right in finan-
cial services in the early 1990s. However, it was influenced by events in the
‘hazard’ industries and took on board methods which were already being used
in energy, nuclear, space and transport, where operational risk as we now know
it, was simply good risk management.
For us, operational risk goes far beyond operations and process to encompass
all aspects of business risk, including strategic and reputational risks. Its man-
agement is not a complicated science, as much as a very human art which lies
at the heart of all business decisions.
Mastering Operational Risk came about because we both passionately believe
that there is a need for a book that sets out a practical framework for oper-
ational risk management, rather than one which is academic and quantitative
in its approach. It has been written by practitioners for practitioners.
Given our professional backgrounds, and given where operational risk man-
agement has been developed over the past decade, Mastering Operational Risk
is grounded in financial services, but the core elements are equally applicable
to all sectors and to those who have to make business judgements. Since oper-
ational risk covers all aspects of business and involves everybody who works in
the business or deals with it, we hope that it will provide useful tips for the
beginner as well as the seasoned professional.
The core of the book is a risk management framework which provides a
practical structure for managing this most slippery of risks. At its heart lie
the critical processes of risk and control assessment and the use of loss events
and indicators, all within an overarching governance structure. It tackles head-
on the thorny subject of operational risk appetite – for a risk which takes in
xiii
A01_BLUN7323_01_SE_FM.indd 13 29/06/2010 09:53

Preface
the unknown unknowns as well as the known unknowns. And although fun-
damentally this is a book about management, it also covers ways in which
operational risk can be modelled and measured. It includes a business approach
to modelling operational risk, which places the tool of modelling back in the
hands of management, using the fundamental operational risk processes.
Of course, stuff happens which is unavoidable. But unavoidable does not
mean unmanageable. That is why we have included chapters on both repu-
tation risk – and how to deal with reputation crises – as well as business
continuity. And as so much of operational risk is ultimately down to people
failures, people risk is a key risk which is fully covered in its own chapter.
Mastering Operational Risk represents the distillation of two lifetimes of ex-
perience in operational risk management, during which we have enjoyed so
many conversations with friends and colleagues about taming this exotic
beast. A number of them have been kind enough to read individual chapters
or in other ways to provide invaluable advice and suggestions: Rees Aaronson,
Andrew Bryan, Ian Hilder, Mark Johnson, Charlotte Kiddy, Tim Landsman,
Roger Miles, John Naish, Bruce Nichols, John Renz, Nick Symons and
Rosemary Todd. To them go our especial thanks. Any sins of omission or com-
mission, though, are entirely our own. Special thanks also to our editors, Chris
Cudmore and Mary Lince, who have provided much needed encouragement
and guidance.
Finally, we should like to thank our families for their constant support and
for having to live lives, probably more than most, surrounded by operational
risk.
ACB
JRWT
xiv
A01_BLUN7323_01_SE_FM.indd 14 29/06/2010 09:53

Acknowledgements
We are grateful to the following for permission to reproduce copyright

material:
Figures
Figures 1.2, 2.1, 3.1, 3.6, 3.7, 3.8, 3.9, 3.10, 3.15, 4.1, 4.2, 4.4, 4.6, 5.1,
5.3, 6.1, 6.2, 6.3, 6.4, 7.1, 8.1, 8.2, 8.3, 8.6, 9.1, 9.2, 9.3, 9.4 and12.2
courtesy of Chase Cooper Limited.
Logos
Figure 3.5 from Balfour Beatty, a registered trademark of Balfour Beatty
plc, registered in England as a public limited company; Registered No:
395826; Registered Office: 130 Wilton Road, London SW1V 1LQ.
For further information about the ‘Zero harm’ project, see www.balfour
beatty.com/bby/responsibility/safety/highlights
Screenshots
Figures 3.11, 3.13, 3.14, 5.2, 6.5, 6.7, 7.12, 8.4, 8.5, 8.7, 8.8, 8.9, 8.10
and 8.11 courtesy of Chase Cooper Limited.
Tables
Table 10.1 from Business Continuity Institute, Good Practice Guidelines
2008, Section 1, p. 7, The Business Continuity Institute; Table 15.6
from A short guide to reputation risk, Gower (Honey, G 2009), © A Short
Guide to Reputation Risk, Garry Honey, 2009, Gower; Tables 8.1, 8.2, 8.3,
8.4, 8.5 and 13.1, courtesy of Chase Cooper Limited; Table 9.1 adapted
from Information Paper: Applying a Structured Approach to Operational
Risk Scenario Analysis in Australia, Emily Watchorn, September 2007,
http://www.apra.gov.au/ADI/upload/APRA_IP_SENARIO_092007.
pdf, copyright Commonwealth of Australia, reproduced by permission
In some instances we have been unable to trace the owners of copyright
material, and we would appreciate any information that would enable us
to do so.
xv
A01_BLUN7323_01_SE_FM.indd 15 01/07/2010 13:43

The authors
Tony Blunden
Tony has worked in the City of London for over
30 years, primarily within risk management,
compliance and related areas in financial services
organisations. He is Head of Consulting and a
Board member of Chase Cooper.
Tony’s areas of focus are the identification and
development of clients’ need; the development
of Chase Cooper’s profile and product set; and
the provision of both public and bespoke train-
ing to clients. Tony has advised and guided over
50 clients and previous client engagements have
included risk frameworks and governance; risk
and control assessments; indicators of key risks and key controls; event and
loss databases and their use; modelling of operational risk; risk reporting;
and stress testing and scenario analysis. He is developing the integration of
operational risk data with six sigma techniques in order to bring business
benefit through control and process improvement.
Tony has spoken at over 100 international risk and compliance conferences
and has appeared on television and radio. He is also a well-known author
of articles and chapters on risk management and compliance having pub-
lished around 30 documents. He is a Fellow of the Institute of Chartered
Secretaries and Administrators and a Member of the Examinations Board of
the Chartered Institute of Securities and Investment.
xvi
A01_BLUN7323_01_SE_FM.indd 16 29/06/2010 09:53

The authors
John Thirlwell
John has worked in financial services in the City
of London for over 30 years. He was Chief Risk
Officer and a director of an investment bank
and, for the last 15 years, has been an execu-
tive and non-executive director of a number of
banking and insurance firms. He was a director
of the British Bankers’ Association where he
was responsible for negotiating the operational
risk aspects of the Basel Capital Accord and EU
Capital Requirements Directive. He founded
and chaired the BBA’s Global Operational Loss
Database.
He has been chairman of the UK Financial Services and Insurance
Committee of the International Chamber of Commerce and has sat on advi-
sory groups on risk and operational risk for the Bank of England, Financial
Services Authority, Financial Services Skills Council, Chartered Institute of
Securities and Investment, and Lloyd’s Market Association.
John is well known internationally as a speaker and writer on operational
risk and on risk management and governance and is a Fellow of the Institute
of Operational Risk and of the Chartered Institute of Bankers. He graduated
from the University of Oxford and is chairman of trustees of the Bankside
Gallery, London.
xvii
A01_BLUN7323_01_SE_FM.indd 17 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 18 29/06/2010 09:53
Part
setting the scene

1
1. What is operational risk?

2. The business case for operational risk
management
M01_BLUN7323_01_SE_C01.indd 1 29/06/2010 09:52

M01_BLUN7323_01_SE_C01.indd 2 29/06/2010 09:52
1
What is operational risk?
The road to operational risk

What do we mean by operational risk?
The boundary issue
Why operational risk is different from other risks
Cause and effect
Measurement and management of operational risk
Challenges of operational risk management
Introducing the framework
M01_BLUN7323_01_SE_C01.indd 3 29/06/2010 09:52

Part 1 · Setting the scene
The road to operational risk
Dateline: Moscow, 19 October 1812

In the face of a deserted city and no capitulation from city or Tsar, Napoleon
burns Moscow to the ground and begins the march back to France. Failure to
plan for the peculiar logistics of attempting such a long march into Russia and
to identify and assess the debilitating effect of snow and temperatures of up to
–38ºC result in the loss of nearly all the 420,000 troops of La Grande Armée.
Dateline: North Atlantic, 400 miles south of the Grand Banks of Newfoundland,
23.50, 14 April 1912
On its maiden voyage, RMS Titanic hits an iceberg which buckles the hull,
causing five compartments to fill with water (the ship was designed to sur-
vive if up to four failed) and the ship to sink. Inadequate construction, lack of
escalation procedures to handle ice warnings and, critically, inadequate lifeboat
provisions lead to the deaths of 1517 of the 2223 on board.
Dateline: Kennedy Space Center, 11.39, 28 January 1986

The failure of a seal in a rocket booster leads directly to the disintegration of
the Challenger space shuttle only 73 seconds into its flight, with the loss of the
lives of the seven crew members on board. The subsequent enquiry identified
poor governance and controls within NASA as fundamental contributing fac-
tors to the disaster.
Dateline: Piper oilfield, 58º28N 0º15E, 22.00, 6 July 1988

Inadequate communication about the safety status of a pump causes an explosion
on the Piper Alpha oil production platform. Of the 226 men on the platform
167 are killed through lack of safety procedures, including inadequate refuge,
coupled with a general attitude of minimum compliance with procedures.
Dateline: Bligh Reef, Prince William Sound, 00.04, 23 March 1989, Exxon Valdez
As a result of failures to adhere to appropriate work patterns, to provide navi-
gation watch and, on the part of coast guards, to provide an effective traffic
system through the Sound, the Exxon Valdez oil tanker strikes the reef, shed-
ding some 40 million litres of oil. The spill results in the collapse of the local
marine population and is disastrous to the local economy.
Dateline: Barings Bank Boardroom, 23 February 1995

Barings Chairman, Peter Baring, receives a confession note from his head
derivatives trader in Singapore, Nick Leeson. Lack of appropriate controls
over trading activity and treasury management, together with inadequate
M01_BLUN7323_01_SE_C01.indd 4 29/06/2010 09:52

1 · What is operational risk?
governance and lack of clear reporting lines had enabled Leeson to generate
trading losses of $1.3bn, twice the capital of the bank. The 232–year old bank
was forced into insolvency and administration.
The road to operational risk, like the road from Moscow in the winter of 1812,
has been long and arduous. In 1345, when the Black Death was raging across
continental Europe and priests proclaimed the end of the world, Thomas
Aquinas, philosopher, and saint as he later became, wrote, ‘The world has
never been more full of risk.’ Over 650 years later, people continue to have the
same view, but now global warming, terrorism or even the rise of global capi-
talism keeps them awake at night. And of course pandemics continue to haunt
us, whether it is SARS, or avian or swine flu.
Whether or not the world is more risky, awareness of risk is undoubtedly
high. That in part reflects changes in society in which risk assessment and risk
tolerance are increasingly democratised. Various forms of activism, whether
by consumers or non-governmental organisations, allied to a society which
appears increasingly unable to accept personal risk responsibility, mean that
we no longer allow risk assessment, and especially risk tolerance, to be left in
the hands of governments or ‘experts’.
Not that activism is a new phenomenon. In response to social, and therefore
political, pressure, often by trade unions or other forms of organised labour,
numerous laws and regulations relating to health and safety in workplaces
and elsewhere have been coming steadily onto the statute book since the nine-
teenth century. The first Mining Acts passed into law in 1803.
The interesting thing about these comments and the events at the start of
this chapter is that they all form part of what is now known as operational risk.
It is a very broad church. As those events show, one of the big problems of
operational risk management, and indeed any form of risk management, is that
we do not know the risks we face now or in the future, but we must act as if
we do. Risk management implies that something can be done to reduce, if not
eliminate, the likelihood and impact of danger and uncertainty.
But there is always the possibility that something will go wrong, whether
through a failure in a process, human failures or simply because something
unexpected happens in the external environment. Of all these, the most unpre-
dictable, and the ones most likely to cause serious problems, are human failures
and external events. That does not mean that these unpredictable factors are
unmanageable. But it does mean that we need to approach operational risk
management intelligently, with a humble acceptance of its limitations. If we
do not, operational risk management becomes a risk in itself as it falls foul of
an expectation that it is in some way a panacea for all our troubles. Risk man-
agement means neither risk avoidance nor risk elimination.
Even financial services regulators seem to have recognised the limitations of
risk management. In the immediate aftermath of the financial crisis of 2007/9
M01_BLUN7323_01_SE_C01.indd 5 29/06/2010 09:52

they publicly climbed down from the pinnacle of risk-based regulation or super-
vision to the more practical level of outcomes-based regulation. Developing a
climate of intelligent questioning is both the challenge and the opportunity for
operational risk managers – and probably for regulators as well.
Having said that, risk is an integral part of life which has to be man-
aged. In business life it has been increasingly enshrined in codes of corporate
governance since the early 1990s. The Cadbury Report (1992) was the first
of these, leading to the UK’s first Combined Code of corporate govern-
ance, which was published in 1999, along with the Turnbull Report on
internal controls. Cadbury was closely followed by the Toronto Report in
Canada and King Report in South Africa (1994) and similar reports and rec-
ommendations in Australia and France in 1995. The OECD Principles of
Corporate Governance, which were first published in 1999, include the
paragraph:
‘An area of increasing importance for boards and which is closely related
to corporate strategy is risk policy. Such policy will involve specifying the
types and degree of risk that a company is willing to accept in pursuit of
its goals. It is thus a crucial guideline for management that must manage
risks to meet the company’s desired risk profile.’1
The discipline of operational risk management itself probably emerged first
in those ‘hazard’ or ‘safety critical’ industries or activities where the effect of
failure can be catastrophic, whether in terms of lives lost or environments
destroyed – nuclear, space, defence, pharmaceuticals, energy and transport.
And it also had an honourable tradition in manufacturing, where the manage-
ment of production lines and health and safety are vitally important.
Against this background, some time in the 1990s, operational risk emerged
in the financial services sector as a term to identify a particular set of risks.
Folk memory suggests that its emergence as a separate discipline was triggered
by the Barings case in 1995. But it was being considered before that, partly as
a result of events and failures which proved to banks that lending might be the
least of their worries. Many were also conscious of events in other industries,
such as the Piper Alpha rig disaster in 1988.
Not that it was much different for medieval bankers several centuries before.
Their businesses failed as much because their communities and customers suf-
fered from war, plague and famine, as they did from imprudent lending to
defaulting sovereigns or states. Operational risk has always been with us.
Before we consider practical ways of managing it, though, we will first
establish what exactly we mean in this book by operational risk.
M01_BLUN7323_01_SE_C01.indd 6 29/06/2010 09:52

What do we mean by operational risk? Test 6
Defining
as ‘. . .something risk happen and its effect(s) on the achievement of objectives’2, which
that might
Perhaps the first thing to decide is what we mean by risk? The word came into
echoes a Standard which had been in use in Australia and New Zealand. AS/NZS 4360:2004
the English language in the seventeenth century from the Italian risco or rischio,
spoke of riskmeaning
as beinghazard or chance
‘. . . the danger.of Some elementhappening
something of that appeared in aimpact
that will definition given . . .’.
objectives
by the Royal Society in 1992, ‘the chance, in quantitative terms, of a defined
hazard occurring’.
In the latest revision this has becomeThis has ‘thetheeffect
meritofofuncertainty
introducing onthe concept of(ISO
objectives’ probabil-
31000:2009),
ity or uncertainty, but its accent on defined hazards implies that it concerns
‘known
which shifts the unknowns’.
emphasis back from effect to cause. The subject of risk becomes ‘something
Two other definitions of risk introduce a key element, impact on objectives,
that might happen’.
which will Webe area now moving
running theme intothroughout
‘unknown this unknowns’
book. Theterritory.
British Standard
on Risk Management defines risk as ‘something that might happen and its
People often sayon
effect(s) that
therisk is a threat of
achievement to objectives’.
objectives,2 something
This echoeswhich negatively
a Standard whichaffects
had those
been in use in Australia and New Zealand, AS/NZS 4360:2004, which spoke
objectives orofthreatens the factors
risk as being whichofmake
‘the chance a business
something successful.
happening that willHowever, the two
impact objectives
. . .’. In the latest international standard this has become ‘the effect of uncer-
definitions mentioned above, do not
tainty on objectives’ (ISOspeak of threats,which
31000:2009), they speak
shifts of
theimpacts.
emphasisRisk backand risk
from
effect to cause. The subject of risk becomes ‘something that might happen’.
management can be about opportunities as much as threats. As Peter Bernstein has expressed it
We are now moving into ‘unknown unknowns’ territory.
People often say that risk is a threat to objectives, something which nega-
in Against the Gods, when discussing the theories of the seventeenth century Swiss
tively affects those objectives or threatens the factors which make a business
mathematician, successful. However, the
Daniel Bernoulli, ‘Risk two definitions
is not something mentioned above,
to be faced, butdo notofspeak
a set of
opportunities
threats, they speak of impacts. Risk and risk management can be about oppor-
tunities as much as threats. As Peter Bernstein has expressed it in Against the
open to choice’.
Gods, when discussing the theories of the seventeenth century Swiss math-
Readersematician,
may be familiarDanielwith the notion
Bernoulli, ‘Riskthat in Chinese
is not somethingthe concept of risk
to be faced, butisa represented
set of
opportunities open to choice.’
by two characters which ‘translate’
In Chinese, the concept as of
danger
risk isand opportunity.
represented by twoIn characters
fact, the characters
which ‘trans- for crisis
late’ as danger and opportunity. In fact, the characters for crisis (rather than
(rather than danger)
danger) areare wei
wei ji ((危机)) and and the the characters
characters forfor opportunity
opportunity areare jiji hui ((机会)),, so it’s
so it’s probably truer to say that the character ji forms part of the concepts for
crisis and opportunity, which still shows that conceptually the Chinese under-
probably truer to say that the character ji forms part of the concepts for crisis and opportunity,
stood the twin sides of risk many centuries ago.
Loss
which still shows of conceptually
that one or more key thestaff,
Chineseloss of reputationthe
understood or twin
abandoning
sides ofa risk
project
many maycenturies
well have an adverse financial impact, but even then it is possible that they can
ago. result in financial benefit both in the short and medium term. When some-
thing happens, it may even help you to achieve and surpass your objectives.
Loss of Those
one orobjectives
more key can staff,
beloss of profits,
sales, reputation, or abandoning
market a projectelse,
share or something maysuchwellashave an
the behavioural objectives discussed in Chapter 14, People risk. Disciplines of
adverse financial impact, but even
risk management then itthat
will mean is possible that theyascan
you are prepared result
much forin
thefinancial
upside asbenefit
for both
the downside. Risk is not downhill all the way, even if it often feels like it.
in the short and medium term. When something happens, it may even help you to achieve and
7
surpass your objectives. Those objectives can be sales, profits, market share or something other,
such as the behavioural objectives discussed in Chapter 14, People risk. Disciplines of risk
M01_BLUN7323_01_SE_C01.indd 7 29/06/2010 09:52
Defining operational risk

The question, though, is to decide which of those risks, which of those ‘some-
things’ are we going to put in the box marked operational risk, as opposed to
other kinds of risk. As we have said, operational risk, as a term, first emerged
within financial services in the early 1990s. As awareness of the risks and sub-
ject grew, so people looked for a common definition which would describe
what they were talking about. The definition of operational risk most widely
used now in financial services is the one published by the Basel Committee on
Banking Supervision:
Definition Operational risk

The risk of loss resulting from inadequate or failed internal processes,
people and systems or from external events.3
Although it was devised for banks, it represents a reasonable statement of the

scope of operational risk within all industries.
This definition first emerged from a survey undertaken in 1999 by the
British Bankers’ Association, the International Swaps and Derivatives
Association and the Risk Management Association, with the help of
PricewaterhouseCoopers, subsequently written up in Operational risk – The next
frontier.4 Up until then, within financial services, operational risk, if it had
been thought about at all, was either limited to operations risk, i.e. internal pro-
cesses and systems, or was a negative statement or thought – ‘anything which
isn’t credit or market risk’. In the 1999 survey of more than 50 (mostly) inter-
national banks, including nearly 40% of the top 100 banks in the world at
that time, less than half had a positive group-wide definition, 15% used the
negative statement, and almost all the rest had no specific definition.
The Basel definition has the merit of being positive: it says what operational
risk is, rather than what it is not; but it doesn’t really tell you what those
various groups – people, process, systems, external events – mean in practice.
It is a scoping statement. It needs more detail to flesh it out in the shape of
sub-categories.
Table 1.1 gives some examples of sub-categories of the four key words in the
Basel definition.
The Basel Committee categorised operational risk losses and came up with
the following categories:
OO internal fraud
OO external fraud
OO employment practices and workplace safety
M01_BLUN7323_01_SE_C01.indd 8 29/06/2010 09:52

OO clients, products and business practices

OO damage to physical assets
OO business disruption and systems failures
OO execution, delivery and process management.5
Sub-categories of operational risk Table 1.1
People Includes: fraud; breaches of employment law; unauthorised
activity; loss or lack of key personnel; inadequate training;
inadequate supervision.
Process Includes: payment or settlement failures; documentation which
is not fit for purpose; errors in valuation/pricing models and
processes; project management failures; internal/external
reporting; (mis)selling
Systems Includes: failures during the development and systems
implementation process, as well as failures of the system
itself; inadequate resources.
External events Includes: external crime; outsourcing (and insourcing) risk;
natural and other disasters; regulatory risk; political risk;
utilities’ failures; competition.
Source: Adapted from British Bankers’ Association GOLD database
But even the Basel Committee limited its own definition by adding a rider
that it included legal risk, but excluded strategic and reputational risk.6
Legal risk – the risk of capricious legislators, of capricious judges and juries,
or of finding that documentation is inadequate to sustain a claim against a
debtor – is a perfectly legitimate risk to include within operational risk. But
it has a sister risk, regulatory risk, which is little spoken of (by regulators), yet
which consistently features high in the CSFI’s annual ‘Banana Skins’ surveys.7
Until recently, that probably reflected irritation with the burden of ‘too much’
regulation, rather than the biggest genuine threat to the business. Now it might
well begin to encompass decisions by legislators and regulators, in the wake of
the financial crisis, which will have considerable impact on business models.
The one outsider is reputation risk, which is not really a direct risk in itself,
but is usually the result or consequence of an operational risk failure. It was prob-
ably excluded from the Basel Committee’s definition on the basis that it was too
difficult to assess. As it is a secondary consequence of another risk, an argument
can be made for its exclusion. However, many firms in all industries not unrea-
sonably consider it their biggest risk by far (see Chapter 15, Reputation risk).
What emerges is that, whilst it might be permissible to exclude strategic
risk, i.e. making the wrong strategic decision for the business, or reputation
risk, operational risk nevertheless encompasses practically all the risks of run-
ning the business, apart from any which deserve specific treatment. Perhaps
the ‘negative’ definition isn’t so bad after all.
M01_BLUN7323_01_SE_C01.indd 9 29/06/2010 09:52

Of course, another approach to understanding what is meant – or to be more

exact, what you mean – by operational risk is to ask the simple question, ‘What
keeps you awake at night?’ Or you can ask ‘What needs to go right for the
business to achieve its objectives?’ and think about what might prevent that
happening. The answer to either question might be a list like this:
OO loss of reputation
OO physical damage
OO failure of the organisation to change/adapt
OO business interruption
OO employee retention
OO political risk
OO product liability
OO general liability
OO terrorism
OO failure of a key strategic alliance
OO computer failure.
None are avoidable. Many are transferable, perhaps by insurance (see Chapter
11), but all are manageable to some extent, if only in the sense of the four Ts
of: treat, transfer, terminate and tolerate.
As we have seen, one of the glories – and frustrations – of operational risk,
like Cleopatra, is its infinite variety. In the words of Michael Power:
‘Operational risk is an extended institutionalised attempt to frame the
unframeable, assuage fears about the uncontrollable “rogue others” and
to tame the man-made monsters [of the financial system].’8
Operational risk and ERM

In this book, we take the view that operational risk covers all the internal and
external sources of operational risk, all those ‘rogue others’. It is equivalent in
many ways to enterprise risk management (ERM), but certain discrete finan-
cial risks, such as credit risk, market risk and liquidity or commodity risk can
be hived off from it, as is shown in Figure 1.1.
ERM and operational risk management share very similar aims. There
are numerous definitions of ERM, but the Risk and Insurance Management
Society has published one which chimes with this idea:
Definition ERM is the culture, processes and tools to identify strategic opportun-
ities and reduce uncertainty. It is a comprehensive view of risk both from
operational and strategic perspectives and is a process that supports the
reduction of uncertainty and promotes the exploration of opportunities.9
10
M01_BLUN7323_01_SE_C01.indd 10 29/06/2010 09:52

Operational risks and other financial risks Figure 1.1
Liquidity risk
Market/product Underwriting
Operational
risk risk
risk
(including
strategic risk)
Credit risk Group risk
ERM undoubtedly covers all the various risk categories. But for us, operational
risk is essentially business risk and at the heart of business risk management.
That is the view taken in this book, but how you define operational risk is up
to you. Your definition must go with the grain of your firm and all firms are
different in their business, culture and people. But define it, or scope it, you
must, because how you define it will determine how you classify it and assess it
and how it is managed in your firm. Your definition is the cornerstone of any
operational risk policy.
The boundary issue

As can be seen from Figure 1.1, operational risk overlaps with other risks. One
of the issues which has to be resolved in positioning a definition is ‘the bound-
ary issue’. That reflects the fact that many of the losses which are ascribed to
other classes of risk have a strong operational risk component.
Product risk involves the commodity, or market, risk of prices of compo-
nents moving, but the risks of product quality, design and distribution are
operational risks. Supply risk involves the credit risk of the supplier and buyer,
but it is rooted in the operational risks of supply chain logistics.
Turning to financial services, it has been claimed, albeit anecdotally, that at
least 50% of banks’ bad debts are, in fact, operational risk losses, often through
failures of documentation which invalidate collateral, whether on retail or
11
M01_BLUN7323_01_SE_C01.indd 11 29/06/2010 09:52

wholesale transactions. But they tend to go into the books as credit losses.
Similarly, in the market trading environment, a significant number of what are
recorded as market losses are operational risk losses: for example, ‘fat finger’,
where the wrong key is struck or an order is mis-typed and you buy when you
should have sold, or buy, for example, the Japanese recruitment agency J-Com
rather than the cable television group JCom.10�
Taking the example to a different level from the purely transactional, failure
to adequately stress test market risk models against extreme market move-
ments is a form of operational risk. It reflects a failure of internal controls
over the stress testing function. Its impact, though, may not be on an indi-
vidual transaction, but on the general level of market risk to which the firm is
exposed and may well feed through into significant losses. Is that market risk
or operational risk?
As with so much about operational risk, it is very much up to you and
the nature of your firm and how you wish to allocate losses and manage your
risks. What is meant by operational risk – how far you push the boundaries
out or pull them in – is entirely up to you. Your risk management framework
should reflect the ways you work within the firm. In many cases the answer is
straightforward, but not at the boundaries.
The downside of allocating risks by risk type at this higher level is that
if you try to extract quantitatively the operational risks which have tra-
ditionally been included in credit and market risk data, you add other risks
to the problem – the subjectivity of allocation and the breaking of a relatively
homogeneous time series of data. Even if you decide that you will keep the
boundaries tight – and traditional – you should at least track and record those
incidents where an operational failure has resulted in loss. The real object of
the exercise is operational risk management, not operational risk measurement.
Operational risk is ultimately about failure of controls – or even lack of
controls – so that operational risk management is about establishing and main-
taining an effective and cost-effective control environment across all risks. The
fact is that operational risk crosses boundaries (and steps on toes) and involves
everybody at different levels and in different ways. It gets into the micro-
politics, as well as the macro-politics of the firm.
Why operational risk is different from other risks

Having accepted that operational risk covers a very wide range of risks, it
is worth considering whether it is intrinsically different from other classes of
risk. The questionnaire shown in Table 1.2 provides a useful way of approach-
ing this.
12
M01_BLUN7323_01_SE_C01.indd 12 29/06/2010 09:52

Operational risk and other types of risk Table 1.2

Operational risk Credit; market;
commodity; liquidity;
underwriting risks
Is the risk transaction-based?
Is the risk assumed proactively?
Can it be identified from

accounting information, e.g. the
P&L?
Can occurrence of the risk (all

risk events) be audited?
Can its financial impact be

capped or limited?
Can you trade the risk?
In a very broad sense, the answers to the risks in the right-hand column will be
‘Yes’ and those under operational risk will be ‘No’. Let’s look at them in turn.
Transaction-based
Operational risk obviously occurs each time a transaction is undertaken, but
it doesn’t depend on transactions for its existence. Before a firm opens its
doors and transacts any business, it is exposed to operational risk in the guise
of, for example, fire, theft or flood. The right-hand column risks are entirely
transaction-based.
Assumed proactively
Practically all financial services are about the assumption and management of
risk, whether it is a bank lending money, an insurer underwriting or a dealer
trading currencies or bonds. With other types of business, management of credit
and liquidity risk, and of market or commodity risk, may be an inevitable part
of the business, but not the reason the firm is in business. But as we said earlier,
operational risk is essentially unavoidable, whether we like it or not. There are
exceptions, such as where a firm takes on another firm’s processing under an out-
sourcing arrangement – for a fee. But generally operational risk is something to
be reduced and controlled, rather than actively taken on and increased.
Identified from accounting information

If you look through the various types of operational risk, such as the ones
listed in Table 1.1, you will certainly find somewhere in the firm’s financial
13
M01_BLUN7323_01_SE_C01.indd 13 29/06/2010 09:52

information the financial losses (or profits) which result from them, but you
will rarely find one of them listed as a line in the general ledger unless, per-
haps, that item is fraud. As a result, it is extremely difficult to obtain accurate
information on the costs of operational risk. So, for reporting, we have to rely
considerably on human honesty and human reporting, rather than data feeds
from the accounting system.
This is another consequence of operational risk not being transaction-based.
If it were, innumerable bits of data relating to it could be attached to each
transaction and it could be comprehensively assessed, analysed and monitored.
But it is not. Nor are all its impacts financial.
Can the occurrence of risk events be audited?

It is certainly possible to audit whether an operational risk loss has been cor-
rectly recorded – but only if it has been reported. And it’s also possible to do
this even for ones which haven’t been admitted to – provided the auditors are
aware of the incident. But you simply cannot guarantee that all operational
loss events have been recorded, whatever a firm’s policy may be, short of exam-
ining every single debit and credit in the books – a rather futile exercise.
Can limits be put on operational risk?

Rarely, mainly because it is not assumed proactively. With other types of risk,
you can limit your exposure to an entity, a currency, a maturity, a geographi-
cal area and so on. Operational risk, alas, happens. With internal risks, you
seek to mitigate likelihood and impact through controls. You can set thresh-
olds and establish a risk appetite. But for the most part, as we show in Chapter
3, Governance, you are unable to prevent risks having the impact that they do.
You are establishing a level of tolerance. With external events that is especially
true. You may be able to mitigate their effect, but for the most part you can’t
prevent their happening. Nor can you limit the force of the hurricane which
hits you.
Can you trade operational risk?

Again, unlike the other risks, the answer is no. It is true that catastrophe
bonds exist, as we explore in the Alternative risk transfer section of Chapter 11,
Insurance, but these tend to deal with very specific events, such as damage to
property caused by earthquakes or hurricanes within a particular geographical
area or radius. They don’t purport to cover the range of operational risks.
Rating agencies are taking some steps to assess ‘enterprise-wide’ risk, which
is effectively an assessment of the tone and quality of risk management in a
firm. But the gradings are limited and certainly far from being able to support
14
M01_BLUN7323_01_SE_C01.indd 14 29/06/2010 09:52

a trading market, even if investors wanted one. Credit and market risk, as
people have belatedly discovered, are only too readily tradeable.
So the answer is that operational risk is intrinsically different from other
risks and therefore needs a different toolset with which to manage it, as we
shall see in the operational risk management framework which forms the cen-
tral part of this book.
Cause and effect

But there is one further thought about the nature of operational risk – perhaps
of all risks. For most types of risk, an event happens and the result is usually a
financial loss – or, rarely and tragically, human loss. And that is what people
focus on in trying to decide how better to manage risk in future – the effect.
Operational risk classification systems invariably identify particular
operational loss events or incidents. But that is not what operational risk man-
agement is about. It is about understanding fully the chain of causality, the
simple sequence of:
CAUSE → EVENT → EFFECT (OR CONSEQUENCE)
Whilst operational risk management is about managing events, it does so
through preventative controls and indicators to manage their causes and
through detective controls and actions to mitigate their effects. Too often in
operational risk management, including in the Basel Accord, causes and effects
are confused with events, and people base their risk mitigation on events,
rather than on causes.
We can see the linkages of the chain by looking at some recent examples
from non-financial sector events (see Table 1.3). They provide an interesting
catalogue, which again also shows the wide range of operational risk.
The chain of causality and its risk management is another recurring theme
in this book.
Measurement and management of operational risk

The events in Table 1.3 and those described at the beginning of the chapter
highlight one of the problems of operational risk – the sheer range of risks
which it covers and the fact that, depending on how it is defined, it often
straddles a number of them, rather than being a discrete risk in its own right.
The simple fact of ‘cause’ is another reason why a relatively homogeneous
measurement system does not work.
Given the importance of cause and behaviour, as well as the nature of the
risks it covers, it is probable that a truly scientific approach to operational risk
15
M01_BLUN7323_01_SE_C01.indd 15 29/06/2010 09:52

Table 1.3 The chain of causality and some major operational risk events
Year Cause Event Effect/consequence
1986 Dangerous design of Chernobyl nuclear Severe release of
reactor and control rods; reactor disaster radioactivity (four times
unauthorised changes to Hiroshima bomb) across
procedures; inadequate Russia and Europe (60%
safety culture. in Belarus); evacuation
and resettlement of
336,000 people; probable
4000 additional deaths
from cancer.
1991 Over-dominant chief; Collapse of Maxwell Hundreds of millions
complexity and lack Communications of pounds stolen from
of transparency in exployees’ pension funds
organisation; lack of of Maxwell companies.
internal controls; failure
to act on warning signals;
inadequate auditing; fraud.
2001 Rise of Islamic World Trade Center 3000 deaths in World
fundamentalism; failure of (9/11) terrorist attack Trade Center; destruction
intelligence; inadequate of WTC 1 and 2; second
air defence systems; lax Iraq war; global security
airport security. crackdown.
2001 Illegal meat imports; Foot and mouth 4 million sheep and cattle
failure to comply with crisis (UK) slaughtered and burnt;
regulations by one world-wide ban on exports
farmer; lack of resources of British livestock and
for cull; failure to meat; UK tourism suffered
appreciate changes in an £8–9bn loss in 2001
patterns of movements of as countryside and tourist
animals around the UK. attractions involving
animals were closed;
UK government suffered
£3bn cost in tax lost and
compensation paid.
2003 New and highly SARS near- Air travel restricted;
contagious form of pandemic in 37 quarantine; disinfectant
atypical pneumonia. countries arrangements.
2003 Failure of alarm system; NE USA power 11 power stations in NE
failure to trim trees which failure USA offline, affecting
put high voltage power 55 million people; water
lines out of service. contamination; transport
and communications
disrupted.
2005 Failure to maintain levees, Hurricane Katrina Over 1800 deaths; 80%
as contingency against of New Orleans flooded;
a potentially severe damage estimated at
hurricane, allowed water more than $100bn.
from Lake Pontchartrain
to flow into New Orleans.
Repeat of flood disasters
of 1915, 1947 and 1965.
16
M01_BLUN7323_01_SE_C01.indd 16 29/06/2010 09:52

measurement would probably have to encompass professionals as various as

economists (of many shades), engineers, social scientists, behavioural scientists,
futurologists and crystal ball gazers, as well as a variety of different types of
mathematician. If it is a science at all (as opposed to an art), operational risk is
a social rather than a purely mathematical science. When we look at the math-
ematical aspects, data is thin where it is most needed, i.e. for rare, high-impact
events. Probability estimates for operational risk are inevitably affected by behav-
ioural rather than technical factors and, indeed, a major loss will cause behavioural
changes and changes to controls which will render past experience less relevant as
a guide to the future. There are no groundhog days in operational risk.
Measurement of operational risk has been driven within financial services
by the need to ascribe a capital number to it. The events of the financial crisis
show how dangerous it is when people believe that there is a mathematically
precise answer to the risk problem they have posed – when people place a mis-
guided trust in numbers as a basis, or even a substitute, for rational decision
making. Risk management has been in danger of being treated as a kind of
alchemy – but the philosopher’s stone has not been found, nor will it be. If
that is true of the relatively homogeneous, data-rich environments of credit
and market risk, how much truer it will be in the heterogeneous, data-poor
environment of operational risk. As Leibnitz once wrote to his friend Jacob
Bernoulli, uncle to Daniel, in 1703, ‘A finite number of experiments will
always be too small a sample for an exact calculation of nature’s intentions’.11
Nature’s intentions are frequently the subject of operational risk.
Operational risk requires a new kind of management and data collection
which moves away from existing norms of risk management, especially with
regard to low-frequency/high-impact events, which should be its prime con-
cern. Operational risk, and indeed other forms of risk management, should
be encouraging managers to open their eyes and ears to other forms of data
– information is a much better word – than the purely numeric, even as far
as gossip and casual comment. That goes even further against the basic laws
of probability which demand independent, objective observations of homoge-
neous events, a long way away from the world of operational risk. Having said
that, even actuaries admit to using quantitative frameworks to structure their
‘guesses’.12 Quantitative analysis undoubtedly has its place, but the actuaries
are applying intelligent risk management, which is what this book is all about.
Challenges of operational risk management

Operational risk is a young discipline. It is the softest of risks, difficult to
grasp, yet only too familiar. Establishing an effective operational risk manage-
ment framework in a firm is not easy and open to many challenges. Let us look
at some of them.
17
M01_BLUN7323_01_SE_C01.indd 17 29/06/2010 09:52

Getting the board on board

The first task, and the critical one, is to get the board to agree to take oper-
ational risk management seriously and for senior management and the board to
be involved in devising an operational risk management policy.
If, as we believe in this book, operational risk is effectively business risk,
including strategic and reputation risks, it should be an integral part of busi-
ness strategy and management, the board’s primary responsibility. One of the
dangers is for operational risk to be placed in a silo where it deals only with
internal process risks.
For operational risk management to be effective, it needs to be embraced by
everybody and to be integral to all the business decisions made by a firm. That
is not to say that it’s about risk avoidance. It is about risk assessment and the
opportunities which can flow from that. As we say repeatedly in this book, for
that or any other approach to be embedded in the firm, it needs to be led and
sponsored from the top.
And if the board is not sure it is worth it, perhaps they can be asked to read
Chapter 2, The business case for operational risk management.
Getting buy-in throughout the firm

Understanding and explaining the benefits of good operational risk manage-
ment is probably the best way to get buy-in throughout the firm. Because
operational risk involves every activity in the firm from the strategic to the
minutiae of operational activities, it needs to be embraced by everybody. At an
Institute of Internal Auditors conference in September 2008, Professor Mervyn
King, chair of South Africa’s King Committee on corporate governance, made
the pertinent point,
‘If you get buy-in you can achieve extraordinary things. But if you don’t
get buy-in you won’t even achieve the ordinary. It’s alright to talk about
tone at the top, but I like to think about the tune in the middle.’
It is the response of everybody in the firm, which will make operational risk
management effective.
Risk and control assessments and scenario analysis, for instance, will only
be effective if they involve people who are at the sharp end of a firm’s activ-
ities, whether they are customer-facing, part of the support systems or on the
board. The more people who are involved in the assessment process and can see
practical results and benefits, the more buy-in there will be. They also need
to see that they are not wasting their time. If we throw them hundreds of so-
called key risk indicators, we are giving indicators a bad name. Which risks
are truly key? What are the best indicators which relate to them? Get it down
to a workable number of key risk indicators which staff can monitor and use.
Likewise, with reporting thresholds. We do need to gather information down
18
M01_BLUN7323_01_SE_C01.indd 18 29/06/2010 09:52

to a low level. But we have to balance the costs of comprehensive and volumi-
nous reporting with the benefits, and concentrate on the information which
best tells us what we need to know.
Operational risk events are very often the results of people failures (see
Chapter 14, People risk). That is why, in Chapter 4, Risk and control assess-
ment, we concentrate on both the design and performance of controls. The
design is all about the system and process. The performance of a control is usu-
ally about people. If all staff are not engaged, controls will fail and the costs of
that can be considerable.
Buy-in comes from communication, especially communicating why we are
doing what we do. Why do we assess both inherent and residual risks? After
all, the ‘reds’ amongst the inherent or gross risks tell us where we’re most
likely to have a disaster. They may, but the chances are that you are doing
something about them. So you need to find out and constantly monitor how
effective the controls you have in place are to bring them down to an accept-
able residual or net level. Explaining and communicating why we are doing
what we do in operational risk management means that management becomes
clear in its own mind and that other staff will understand the purpose and ben-
efits. That way, we shall achieve real buy-in.
And of course buy-in can extend beyond the firm. If there are critical third-
party dependencies, perhaps agents, sub-contractors or outsourcing suppliers,
they need to be part of the communication network and embrace the firm’s
operational risk standards.
It’s common sense, or what we do every day

Operational risk is present in everything we do. It’s what we have to cope with
all the time, whether as business managers or as individuals. We are all risk
managers. And because we do it every day, and are here to tell the tale, we are
patently doing it well. We may be. But how do we know? And could we do
even better?
There is no great mystery to operational risk management. The fundamentals
of identifying, assessing, managing and mitigating risk to an agreed level of
risk appetite, are the same in all risk management activity. But if we establish
a coherent framework for management, we will understand why some risks are
being controlled successfully and where we can put our resources to best use.
Why colours and not numbers?

If it’s risk, it must be a number. And, indeed, there’s a view that if it isn’t
a number, you can’t manage it. Numbers, even if they are spurious, give the
comfort of certainty – dangerously so if they are spuriously accurate. They help
to prioritise and focus actions, but it can be unhelpful to go for unjustified
19
M01_BLUN7323_01_SE_C01.indd 19 29/06/2010 09:52

precision. The financial crisis of 2007–9 showed, amongst other things, the
dangers of relying on numbers whose limitations were not understood.
There are many numbers in operational risk, losses being the most painful
ones. But operational risk is not about management by numbers. It is about
managing people and circumstances which are constantly changing and where
judgements, even when based as far as possible on hard evidence, are necessar-
ily subjective. That’s one argument for colours (or words) in operational risk
reports, rather than apparently precise numbers.
The other one is that numbers are not as accessible as colours and good oper-
ational risk management happens as a result of good communication. In almost
every chapter of the framework we show reports which owe their accessibility
to the fact that they use colours to tell the story. A picture tells a thousand
words. In operational risk, a colour tells a thousand numbers.
So why model it, then?

The answer to that depends on what you expect a model to do. There is often
too little thought given to why and how models (and reports for that matter)
are being constructed, and how they will be used. In operational risk, a model
should be seen as a framework for a conversation. It might even give you the
right question, rather than the correct answer. After all, for the most part we
are trying to model our ignorance.
At the outset of an operational risk management programme, there will
be little hard data on which to model. Even when the programme has been
running well for some time, the data is always going to be incomplete and
probably imperfect. So what’s the point of trying to turn it into something
it is not? The answer is that, despite its limitations, modelling can probably
get you in the right ballpark, even if it’s not an exact science. In operational
risk, modelling may not provide the perfect answer, but it can provide a good
answer – provided you understand what you’re getting.
How can you set a risk appetite for operational risk?

Perhaps the quickest answer is to turn to Chapter 3, Governance, and the sec-
tion on risk appetite. Unfortunately, operational risk is not like the Hitchhiker’s
Guide to the Galaxy where fans will remember that the Answer to the Ultimate
Question of Life, the Universe and Everything – is 42. In operational risk,
risk appetite may be a finite number but, because of the range of operational
risks and the unavoidability of many, appetite can just as well be expressed in
a statement of policy, or by using coloured assessments, or through a range of
indicators. So you can set a risk appetite, but there will be different ways of
doing it, depending on the risks involved. And remember – setting an appetite
will not prevent an operational risk actually happening.
20
M01_BLUN7323_01_SE_C01.indd 20 29/06/2010 09:52

Reporting
The first challenge is to set up a system, and a culture, in which reporting of
events and ‘near misses’ is what we do, rather than what we try not to do. We
will report events, because everybody in the firm accepts and understands that
it is only by comprehensive reporting that we can understand what is actually
happening; understand what major incident may threaten; and pursue a policy
of continuous improvement. If you look at most disasters, whether financial
or non-financial, you will find that they generally owe their origin to human
frailty of one form or another, of which the most dangerous is the failure to
learn. The evidence is all around us, but we choose to ignore it and not to learn
the lessons. And another disaster strikes. Intelligent operational risk manage-
ment demands that we see and analyse the evidence and learn from it.
Once the data is gathered, the next challenge is to ensure that reports up
and down the organisation are meaningful and useful; that they highlight the
key risks the firm is facing and that reporting of risks, near misses, indicators
and so forth is coordinated. Effective reporting should also involve causal an-
alysis so that we can understand what really happened and can work out what
to do to control our risks better. All reports, and all the information in them,
should lead to action. If a report is not intended to lead to action, drop it.
Just give me the manual

If it were that easy, this book would not be necessary. Unfortunately, it isn’t
that easy. For a start, as we said earlier, what you mean by operational risk is
entirely up to you. In this book we can give you a framework to manage, but
only you can decide what it is you are trying to manage. Only you can decide
what your risk appetite is. Only you can establish the culture of control – or
relative lack of control – in which you wish to operate. Each firm is different;
each firm faces different risks; each firm will treat each aspect of operational
risk management in a unique way.
And because of the infinite variety of operational risk, there is no universal
answer to how to manage it in every case. Indeed, if operational risk is as broad
as business risk, it’s logical to suggest that there are as many ways of manag-
ing operational risk as there are of running a business. There is no universal list
of operational risks which applies to everybody. Nor is there a universal list of
indicators. Risks are emerging all the time, just as they may recede or disap-
pear as systems, the business or the external environment changes. Even if the
list remains constant, the ranking of each risk will be constantly changing.
So there is no standard manual. And even if you write a manual of oper-
ational risk controls, processes and reporting procedures, it will be constantly
evolving. If operational risk is managed intelligently, it demands constant re-
evaluation both of the risks and their controls. It is not a one-off exercise which
21
M01_BLUN7323_01_SE_C01.indd 21 29/06/2010 09:52

can be put away for a year, or even more frequently, until it comes up again in
the diary. It is part of the everyday process of management, for which a pro-
cedures manual is not the answer. It needs to be in the blood.
Introducing the framework

Having overcome the challenges, it is time to put a management framework
in place. As we said above, there may not be a manual which fits every firm,
but a framework provides a structure for implementing and embedding oper-
ational risk management. Without a coherent framework you simply cannot
get to first base.
The framework described in Chapters 3–9 is simple, succinct and straight-
forward. It covers the six major processes involved in operational risk
management, from which any others can be derived. It represents a system
which can be understood from the boardroom to the post-room. If there is clar-
ity about what operational risk management entails, there is likely to be an
effective and accepted implementation which can then reap the business ben-
efits described in Chapter 2.
The operational risk management framework we use in this book is given in
Figure 1.2. It sits within an overall operational risk environment, where each
component interacts with the others to build the whole.
Before we get to the chapters where each element is dealt with in detail,
it would be good to consider them briefly. Governance (Chapter 3) is the
Figure 1.2 Operational risk management framework
Operational risk environment
Governance
Indicators Risk and control assessment Events
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Action plans Action plans Action plans
Scenarios and modelling
Reporting
Source: Courtesy of Chase Cooper Limited
22
M01_BLUN7323_01_SE_C01.indd 22 29/06/2010 09:52

first step in operational risk management. Good governance, through a board

approved operational risk policy and appropriate terms of reference for rel-
evant individuals and committees, will ensure that the board and all staff have
a clear view of the board’s strategy and objectives and of their responsibilities.
Governance will also involve establishing the principles and main elements of
the operational risk management framework.
The other essential to good governance is to ensure that appropriate reports
(Chapter 7) are generated to enable everybody from the board down to under-
stand the operational risks to which they are exposed at any one time. Reports
on risk should be linked to relevant controls and actions, so that recipients can
use them to remedy control failures, review risk appetite and perhaps remove
controls. Good reports mean action. They demonstrate a firm’s commitment
to using operational risk management to enhance the firm’s business decisions
and continuously improve its performance.
The key to good reporting is to tailor it to the needs of the reader – at every
level. Neither governance nor reporting is something which is solely about
the board. That is why we use the term ‘governance’, rather than the board or
similar, at the top of the framework. Operational risk management involves
everybody. It is not hierarchical.
Having established the environment, we can now move to the engine room
of risk and control assessment, recording events and near misses and establish-
ing and monitoring key indicators. Risk and control assessment (Chapter 4) is
often the first operational risk management process carried out by an organis-
ation. Initial assessments will almost always be subjective, but even then they
can be of significant business value if they are linked to the firm’s strategic
objectives. As assessments progress and are linked to events and indicators they
become more objective. However, a continued focus on the business objectives
will help to ensure their relevance, as well as buy-in and use at all levels.
Losses (Chapter 5) often appear to lie at the heart of data-gathering for oper-
ational risk. Losses are of little use unless they are analysed to identify causes.
Operational risk is about management. Understanding the causes of risk means
that you can manage the risks themselves. Merely knowing their number and
size is of relatively little value. Finally, within the engine room, indicators
(Chapter 6) are invaluable management tools at every level of the organisation,
provided they are concentrated on key risks and key controls.
And if you look closely at Figure 1.2, you will see that each of the boxes
headed Indicators, Risk and control assessment, and Events has, at the bottom,
the words ‘Action plans’. The framework is a framework for management. It is
only worth doing if it leads to management action.
Which brings us to scenarios and modelling. Scenarios, of which stress tests
are one aspect, are a practical and accessible way of assessing operational risks
which, by their nature, are at the far end of the scale of both likelihood and
impact. As with most operational risk processes and data, scenarios have to be
23
M01_BLUN7323_01_SE_C01.indd 23 29/06/2010 09:52

handled with care, as is shown in Chapter 9. But because they rely on stories
involving the real world of work, they can be a powerful means of involving
staff and of getting buy-in. Stress tests and scenarios are themselves one aspect
of modelling. As we shall see in Chapter 8, all the elements we have discussed
in this section can be used in modelling and add significantly to the business
benefits which can be derived. Good modelling, using risk and control assess-
ments, for instance, can assist in a cost–benefit analysis of the controls used by
a firm and the allocation of resources to new or improved controls.
But before we go into the detail of the framework, we need to get buy-in.
Buy-in comes from showing that operational risk management really does add
business benefit, which is the subject of the next chapter.
Notes
1 OECD, Principles of Corporate Governance, 2004. An index of all codes of corporate
governance around the world can be found on the website of the European Corporate
Governance Institute at www.ecgi.org/codes/all_codes.php.
2 BS31100 Code of Practice for Risk Management.
3 Bank for International Settlements, Basel II: International Convergence of Capital
Measurement and Capital Standards: A Revised Framework – Comprehensive Version, June
2006.
4 RMA, British Bankers’ Association, ISDA, PricewaterhouseCoopers, Operational Risk –
the next frontier, 1999. The original definition read: ‘The risk of direct or indirect loss
resulting from inadequate or failed processes, people and systems, and from external
events.’
5 Basel II, Annex 9.
6 Basel II, para 644.
7 See www.csfi.org for CSFI’s various banana skin surveys.
8 Michael Power, Organized Uncertainty (Oxford: Oxford University Press), 2009, p. 126.
9 Risk and Insurance Management Society; see www.rims.org/ERM.
10 Jeremy Grant and Michael Mackenzie, ‘Ghost in the machine’, Financial Times, 18
February 2010.
11 Quoted in Peter L. Bernstein, Against the Gods (New York: John Wiley & Sons), 1998,
p. 118.
12 Ericson, R., Doyle, A. and Barry, D., Insurance as governance (Toronto: Toronto
University Press), 2003, quoted in Power, p. 13.
24
M01_BLUN7323_01_SE_C01.indd 24 29/06/2010 09:52

2
The business case for
operational risk
management
Introduction
Operational risk management as a marketing tool
Benefits of getting operational risk management right
Benefits beyond the framework
Business optimisation
25
M02_BLUN7323_01_SE_C02.indd 25 29/06/2010 09:52

Introduction
If you want to make the case for operational risk to senior management, you
need to get their attention. That means talking to their agenda, in other words
understanding and addressing their needs. Good operational risk management
is fundamentally about informed decision making. If your decision making is
better informed, your decisions are very likely to be better. Some of the funda-
mental elements of informed decision making with respect to operational risk
management are:
OO understanding the operational risk context of decisions (which is part of
governance, see Chapter 3)
OO distinguishing and differentiating your operational risks and how they are
controlled (which is part of risk and control assessment, see Chapter 4)
OO evaluating and assessing problems in the past (which is part of loss causal
analysis, see Chapter 5)
OO knowing where you are now (which is part of indicator analysis, see
Chapter 6)
OO knowing where you might be in the future (which is part of scenario
analysis, see Chapter 9)
OO allocating capital on an operational risk basis (which is part of model-
ling, see Chapter 8)
OO getting the right information on past events, the present state of the
operational risk environment and its possible future state (which is part
of reporting, see Chapter 7).
The alternative, of poor operational risk management, will almost certainly
lead to the business dying – either slowly, or suddenly because of a major oper-
ational risk event.
Good operational risk management will also help to instil a culture of con-
tinuous improvement and business optimisation. There are a number of links
between operational risk management, business optimisation and Six Sigma
and Lean management techniques which we will explore later in this chapter
(and which are also part of the business outcome from modelling operational
risk, see Chapter 8).
Operational risk management as a marketing tool

An additional benefit of operational risk management is as a marketing tool.
A good example of this is Volvo which has turned safety into a marketing and
sales opportunity. Safety is an attribute which is expected by the motoring
public to be built into its cars, as it is an excellent mitigant of a number of
26
M02_BLUN7323_01_SE_C02.indd 26 29/06/2010 09:52

2 · The business case for operational risk management
motoring risks. However, Volvo has very successfully managed to use an inevi-
table risk control as a marketing and sales differentiator.
Similarly, in the financial services sector, many firms go beyond the regula-
tory requirements for the reporting of operational risk within their reports and
accounts. The Basel Committee on Banking Supervision, in its new Accord
(Basel II) published in 2005,1 aimed to raise standards in banking, in part
through increased transparency of reporting. One of the three pillars of Basel II
was the disclosure of information about the bank’s risk management. However,
the regulatory disclosure requirements for operational risk were minimal com-
pared with those for credit risk. It is clear that firms perceive a competitive
advantage in making it clear to any reader that they identify, measure, monitor
and manage their operational risks thoroughly and so many go into some detail
explaining what they do. Where would you rather deposit your money? A firm
which is making a concerted effort in its operational risk management, or a
firm which is unable or unwilling to articulate what it does?
International and national accounting rules, and business review rules in the
UK, have also joined the trend by requiring increasing disclosure of risk in
the annual report and accounts. All of these are designed to bring risk man-
agement out into the open. But, again, many firms go beyond the minimum
standards and a ‘boilerplate’ approach and see marketing gain from what was
initially viewed as a tedious and oppressive necessity.
Benefits of getting operational risk management right
Benefits of getting operational risk governance right

Understanding the context within which operational risk decisions are made
is a fundamental element of informed decision making. Good operational risk
governance in the business will give increased comfort to the board and senior
management that risks which impact on the business objectives are being
managed effectively. Good governance provides greater assurance on the effec-
tiveness of internal controls.
Clear operational risk governance is the base for developing an effective and
consistent operational risk management framework. It will clarify:
OO the operational risk policy of the firm and ensure that the board
approved risk appetite is aligned with its business policy and objectives
OO risk and control ownership and accountability, thus reducing oversights
and duplication of effort.
Operational risk is a potential threat to the objectives of the firm. Given that
the management of the firm is generally driven by its objectives, a better
understanding of operational risk will force clarity in the objectives and help to
embed better operational risk management within the firm.
27
M02_BLUN7323_01_SE_C02.indd 27 29/06/2010 09:52

However, good operational risk management is as much about opportunities

as threats. This means that, for every risk, the opportunities which are implicit
in the risk should be explored, as well as the threats to the firm. Intelligent
operational risk management enables a firm to exploit risk for its benefit, as
well as protecting itself from the risks which are not exploitable.
Good operational risk governance, though, is not only about the existing
business and risk environment of the firm. It should mean that discussions
about new products, initiatives and business lines include the operational risks
inherent in them. If not, major strategic decisions will be taken which are not
fully informed.
Benefits of getting risk and control assessment right

It is vital to be aware of your operational risks and the controls that mitigate
them. The ability to robustly identify, measure, manage and mitigate the oper-
ational risks to which the firm is subject, within a defined and clear structure
of risk and control assessment, leads to consistent treatment and reporting of
risk across the firm. Comprehensive and consistent information about the level
of risk within the firm is clearly essential for the board and senior management
to make informed business decisions.
An agreed methodology of risk and control assessment, which is applied
across the firm, will also help to bring about a cultural change towards embed-
ding operational risk management within the firm. This assists both senior
management and those responsible for managing risk on a day-to-day basis
within the business line. Clear assessment criteria will also help to ensure
consistent and stable measurement of risk (see Chapter 4, Risk and control
assessment, Assessing risks).
Risk and control assessments enable you to identify potential risk hotspots
and control bottlenecks quickly. They also allow the firm to model oper-
ational risk, without having to wait for a number of years to gather accurate
and complete operational loss data (see Chapter 8, Modelling). Risk and con-
trol assessments are a simple way of getting the benefits of operational risk
management early.
Benefits of getting event and loss capture and analysis right

Learning from previous operational risk problems is a fundamental part of
operational risk event analysis. Significant benefit can accrue from identify-
ing the controls which have failed and the subsequent risk events which have
happened. This is whether or not an actual loss has been incurred, or indeed a
profit has been made. It is common for the same control to have been found
to have failed in several parts of the firm. If this information is not captured,
no-one will connect the incidents together. Nor will they pick up small losses
28
M02_BLUN7323_01_SE_C02.indd 28 29/06/2010 09:52

which, repeated a number of times, perhaps in different places, can add up to a

much bigger figure.
Reliable loss data can be used as a form of back-testing for operational risk
exposure, for instance by identifying data gaps in the risk and control assess-
ments. Risks and their associated control failures, which are detected in the
event analysis, should appear in the relevant risk and control assessment as
high residual risks and as poor controls – unless, of course, the firm has been
going through a period of bad luck!
Comprehensive and consistent capture of events and losses will also aid loss
causal analysis by providing a reliable set of data from which to draw tentative
conclusions. It will highlight any gaps in the data and show potentially high
loss areas. All sources of operational risk data will be recorded which may show
gaps in the risk and control assessment programme.
Modelling benefits a firm through the use of objective (as well as subjective)
data, as the losses and events are what has actually happened to the firm. Real
events also help to validate the indicators discussed next. However, loss data is
based in the past and future losses are just that: based in the future.
Benefits of getting indicators right

Having analysed the data from the past, it is important to look at where you
are now. Indicators provide this information and, in particular, changes to the
risk profiles of the firm. Indicators allow the firm to monitor its risks and con-
trols in a way which allows trends to be identified quickly and action to be
taken promptly.
Indicators also allow a firm to measure its exposure against its risk appetite,
which can be set in terms of indicators. This enables financial resources to be
targeted on those areas which will provide the business with the most benefit.
Indicators facilitate the setting of realistic and achievable improvement targets
to enhance controls and reduce risk.
By monitoring indicators of key risks, the firm may be able to identify over-
sights and duplication of effort. This will be achieved through being able to
evaluate the risk and control environment, monitoring outstanding improve-
ment actions and reviewing the performance of risk owners.
Benefits of getting scenario analysis right

Just as risk and control assessments look to the future, so scenario analysis helps
explore alternative extreme, but nevertheless plausible, possible outcomes for
a firm. In particular, scenario analysis allows the exploration of the risk and
control sensitivities of the firm. It clarifies the interactions of the risks by exam-
ining them under stress conditions. It also helps to shed light on the causal
relationships between the risks themselves and between controls and risks.
29
M02_BLUN7323_01_SE_C02.indd 29 29/06/2010 09:52

By creating risk and control data points which are outside the firm’s usual
experience, scenarios compensate for the subjective nature of risk and control
assessments and for the lack of internal loss data, which is a frequent prob-
lem for firms when assessing their operational risks. Likelihood and impact
assumptions are tested by subjecting them to extreme conditions. Similarly,
control design and performance assumptions are tested.
Scenarios are an excellent means of getting senior management attention;
as a result, they can frequently lead to a reinvigoration of the risk and control
assessment process. This is because scenarios should be performed by the senior
management team as a whole, so that a complete and realistic review of their
effects can be obtained. Scenarios also help senior management to move away
from a historic risk management approach, towards a serious consideration of
how the firm may look in the future.
Benefits of getting modelling right

Allocating operational risk capital on a risk adjusted basis is a powerful incen-
tive for senior management to manage its operational risks well. Implementing
this leading practice in operational risk management also allows the firm to
monitor more accurately its exposure against the expressed operational risk
appetite of the board, as both exposure and appetite can be expressed in mon-
etary terms.
Modelling allows the possibility of reducing a regulatory operational risk
capital charge where this is applicable. A number of modelling approaches
are discussed in Chapter 8. The use of an integrated approach to modelling
(combining losses with qualitative data) can assist the business in forecasting
future losses objectively. The scorecard approach allows the firm to target its
resources and controls based on cost–benefit analysis.
Once an operational risk model has been established, operational risk costs
can be incorporated into a pricing model. This is often either ignored or for-
gotten, leading to a lack of understanding of the true costs of a transaction to
a firm and pricing which can ultimately be ruinous. Many firms in the finan-
cial services industry learned this to their disadvantage during the 2007/8
sub-prime crisis. Although this was seen as a credit risk event, it was funda-
mentally fuelled by the operational risk of failing to understand the relatively
complex securitisation products which were used.
Benefits of getting reporting right

Good operational risk reporting allows the firm to develop a common oper-
ational risk language which in turn allows operational risk related activity to
be conducted on a like-for-like basis. Detailed operational risk management
30
M02_BLUN7323_01_SE_C02.indd 30 29/06/2010 09:52

activity can be prioritised, based on consistent scoring across the firm. Good
operational risk reporting will also generate management involvement and
consensus, which will drive the ongoing identification, assessment and control
of operational risk.
Senior management monitoring of operational risk performance will chal-
lenge the results of operational risk management activity and further embed
the firm’s approach to operational risk management. Risk ownership and
control ownership can be clarified through good reporting and assist in identi-
fying priorities for enhancing controls and the firm’s operational risk profile.
Benefits beyond the framework

But the benefits of good operational risk management do not just lie in the
framework processes. There are also specific aspects of operational risk manage-
ment which we deal with in later chapters: mitigants to operational risk such
as business continuity and insurance; specific risks such as outsourcing risk,
people risk and reputation risk.
Business continuity
The benefit of a robust, tested and up-to-date business continuity plan should
be self-evident. Fundamentally, it is about survival. Business continuity, or
indeed any contingency arrangement, is an essential tool of operational risk
mitigation and uses the processes of operational risk in its creation and acti-
vation: risk assessment, scenarios and indicators. Just as with any other part
of operational risk management, business continuity helps you identify your
vulnerabilities. As we shall see in Chapter 10, you need to make sure that you
are a survivor. The stakes can be that high in getting business continuity right.
And, of course, if you can get back in business quickly, especially if an event
occurs which affects both you and your competitors, you will have an immedi-
ate competitive advantage.
A good business continuity plan might even mean that you can negotiate
a reduction in your business interruption policy premium, a point which we
pick up next.
Insurance
The fundamental benefit of insurance is, of course, risk transfer at an appropri-
ate cost. Operational risk is the flip-side of commercial insurance since, for the
most part, commercial insurance – property, key man, product liability, public
liability, directors’ and officers’ insurance – is there to cover operational risk.
31
M02_BLUN7323_01_SE_C02.indd 31 29/06/2010 09:52

Without an effective operational risk management system in place, it is

impossible to assess whether a particular insurance is appropriate, let alone
whether the premium represents good value. With a good operational risk
reporting process, however, the insured should have the bargaining chips,
especially given that insurers are able to spread their risks and so make the deal
attractive. Good operational risk information will also enable a firm to decide
whether to insure through a captive, as discussed in Chapter 11, which can
improve the financial benefits even more.
Outsourcing
Outsourcing is another example where good operational risk management is
also good business management. If outsourcing is managed correctly, as we
show in Chapter 13, it has the huge advantage of placing the outsourced activ-
ity and its associated risks in the hands of somebody who can perform them
more efficiently than you: a good example, too, of operational risk manage-
ment being about opportunities and not just threats.
Outsourcing should enable higher transaction levels, improved speed and
quality of customer service and improved financial controls – another aspect of
improved operational risk management. And, of course, it should reduce costs
and improve profitability. But the primary aim, and most significant benefit,
is to make the business and its risk management more efficient.
People risk
As we explain in Chapter 14, our people are not just a firm’s greatest asset, but
can potentially be its greatest source of operational risk liability. Good people
risk management is a fundamental part of good operational risk management.
It encourages an environment in which risks are reported, so that lessons can
be learned – an environment of continuous improvement. A good people
environment will also be one where people are open to change and are able
to respond flexibly and quickly to business opportunities, as well as to threats
to the business. With good operational risk management in place, people can
genuinely become a firm’s greatest asset.
Reputation risk
Reputation risk can seriously damage your health and wealth. Since repu-
tation risk almost always results from the occurrence of an operational risk, it
follows that good operational risk management is a vital part of good repu-
tation risk management. If you can prevent a risk happening, you will have no
reputation risk to deal with. And if you are the only one of your competitors to
have avoided the risk, your reputation will inevitably be enhanced. In Chapter
32
M02_BLUN7323_01_SE_C02.indd 32 29/06/2010 09:52

15 we show some of the many ways in which reputation can be harmed, but
we also explain how operational risk management can reduce the chances of
reputation risk occurring, as well as how to deal with a reputational crisis if it
should occur. The costs of failure and the rewards of success are immeasurable.
Business optimisation
Operational risk management is not just about avoiding losses or reducing
their effect. It is also about finding opportunities for business benefit and con-
tinuous improvement. As we mentioned in the introduction to this chapter,
operational risk management can be used as the groundwork for Six Sigma
and Lean management approaches, as shown in Figure 2.1. The just-in-time
method of management relies on properly identifying, measuring, monitoring
and managing supply chain risks which are part of the universe of operational
risk. Additionally, quality circles rely on full and informed operational risk
management, as does total quality management.
The concepts of process improvement and business optimisation are funda-
mental parts of operational risk management and Six Sigma gives a structured
approach. The Six Sigma themes of focus on the customer and of fact-driven
proactive management are wholly compatible with good operational risk
management and many would argue are, indeed, the same themes as pervade
operational risk management. Further, the Six Sigma starting point of process
mapping can be very useful to operational risk management and gives business
benefit in its own right.
Interaction of operational risk management and Six Sigma and Lean Figure 2.1
management approaches
Process Data Data

mapping collection analysis
Process improvement
Modelling: Six Sigma Lean workbench
RCA KRIs Events
Objectives
33
M02_BLUN7323_01_SE_C02.indd 33 29/06/2010 09:52

At the business level, a robust and efficient operational risk system will
enable managers to react to events more quickly and with greater effectiveness.
At the board level, good operational risk management reduces the volatility of
performance and facilitates efficient resource and capital allocation.
From an investor point of view, operational risk management encourages
and allows an understanding of where shareholder value is being created or
destroyed. A good operational risk management system, fully embedded in the
business, will prevent any blindness to risk which may affect the profitabil-
ity of a business line or transaction. Risk and control perception is improved
through distilling a risk culture which leads to business optimisation. That
will be reflected in a firm’s credit rating. And it will also generate a significant
regulatory benefit in an improved relationship with the regulator, wherever
that is applicable. A further benefit is that if you get it right, you avoid paying
the lawyers!
Operational risk management is fundamental to successful business manage-
ment. It produces true business benefits in its own right. Having established
that principle, we can now go on to explore the operational risk management
framework in detail and get down to the practical mastery of operational risk.
Note
1 www.bis.org/publ/bcbsca118.htm
34
M02_BLUN7323_01_SE_C02.indd 34 29/06/2010 09:52

Part
The framework
2
3. Governance
4. Risk and control assessment
5. Events and losses
6. Indicators
M03_BLUN7323_01_SE_C03.indd 35 29/06/2010 09:52

M03_BLUN7323_01_SE_C03.indd 36 29/06/2010 09:52
3
Governance
Introduction
Operational risk management framework
Operational risk policy
Operational risk appetite
Roles and responsibilities statements
Glossary
Timeline
37
M03_BLUN7323_01_SE_C03.indd 37 29/06/2010 09:52

Part 2 · The framework
Introduction
Good governance is the starting point for good operational risk management.
Given that risk management is vitally important to all firms, good operational
risk governance should be one of the board’s primary aims. It is essential for
the effective embedding of operational risk management into a firm’s everyday
activity. It is not a rigid set of rules, nor is it a box-ticking exercise, but the
basis of good business conduct.
Risk management has also become a focus of investor as well as supervi-
sory attention and investors are increasingly looking to firms for clear evidence
of good governance. As we saw in Chapter 1, there are numerous corporate
governance codes and requirements around the world which apply to the risk
management of any firm, particularly if it is publicly listed. The point of good
corporate governance is to establish a system which ensures effective account-
ability on the part of a board to investors and other stakeholders.
Operational risk governance is about the organisational structure of the firm
and accountabilities for operational risk management, including risk owner-
ship. It includes: the risk culture which the firm displays; the attitude of the
board and senior management to risk and its risk management staff; and may
include awareness sessions for both the board and staff. As was also said in
Chapter 1, culture is as much about the tune in the middle as the tone from
the top of the firm, so governance is the responsibility of everybody in the
firm, not just the board. A firm operating good governance will encourage dia-
logue and challenge on operational risks up and down the organisation.
The acid test that operational risk is embedded in the firm is how it uses
operational risk management methodologies and techniques in its day-to-day
management. This is often referred to as the ‘use test’. Can the firm demon-
strate that operational risks are considered fully when strategy is being set:
when a possible merger is being considered for instance; when a new product is
being mooted; indeed when any business decision is being made?
Operational risk governance, in common with other forms of corporate
governance, is about enabling the board and senior management to guide and
direct operational risk strategy and to review its effectiveness. From a practical
perspective, this will encompass:
OO a framework showing how to identify, measure, monitor and manage
operational risks
OO a policy document approved by the most senior executive body of
the firm
OO terms of reference for relevant bodies, departments and persons
OO a timeline for tracking and reviewing the development of operational
risk processes within the firm.
38
M03_BLUN7323_01_SE_C03.indd 38 29/06/2010 09:52

3 · Governance
Operational risk management framework

A framework for operational risk makes the practical implementation of
governance possible.
Figure 3.1 gives a pictorial representation of a framework which shows,
at a high level, in one diagram, how a firm will identify, assess, measure,
monitor and manage its exposure to operational risks. This is invaluable in com-
municating to all staff the fundamental elements of the firm’s operational risk
management processes.
The framework shown in Figure 3.1 is the one we use in this book and
which was introduced in Chapter 1. It has the merit of simplicity and concen-
trates on the essential processes of operational risk management. The various
elements work together within the overall operational risk environment.
Governance provides an over-arching organisational structure within the
firm’s culture. It establishes the three lines of defence discussed in Chapter 12,
Internal audit (see Figure 12.1), which underpin risk management: risk taking
at the business level, risk oversight and independent assurance. These ensure
clarity of operational risk management roles and responsibilities. To be effec-
tive, though, governance depends on a monitoring and reporting process which
is as comprehensive as possible – the critical links between the top and bottom
of the diagram. The information on which reports are based is provided by the
various processes at the centre of the framework, which, with reporting, are
treated in detail in the chapters that follow.
A typical operational risk management framework Figure 3.1
Governance
Reporting
39
M03_BLUN7323_01_SE_C03.indd 39 29/06/2010 09:52

Frameworks can take many forms. Framework ‘A’ (Figure 3.2), for example,
is in the form of the familiar ‘temple’ image.
Figure 3.2 Operational risk management framework ‘A’
Assurance
Strategy and governance Identification and assessment Monitoring
Definition Firm-wide coverage Firm-wide indicators
Policy R&C identification Business unit indicators
OR Appetite R&C assessment Loss causal analysis
Role and responsibilities R&C ownership Exception reporting
Common understanding/Embedded risk management
Its three pillars are: strategy and governance, identification and assess-
ment, and monitoring. Within these can be found the elements of the
framework shown in Figure 3.1. Framework ‘A’ shows that a common
understanding and embedding of risk management is the fundamental
foundation. In this framework, assurance is shown as the key-stone and
over-arching process, rather than being part of governance.
Framework ‘B’ (Figure 3.3), interestingly, separately identifies governance
and structure, and strategy and policy. It shows the risk management cycle
of risk identification, risk assessment, management and mitigation, moni-
toring and reporting, but does not identify the processes which are used to
achieve that.
Framework ‘C’ (Figure 3.4), in common with Framework ‘A’, makes ref-
erence to independent assurance. It also shows the information flows from
reporting to strategy/goals and to and from reporting and independent assur-
ance. Once an informed strategy has been agreed, the firm can establish its
governance and risk management environment. In addition, Framework ‘C’
explicitly recognises that action plans are a central part of operational risk
management and that they can flow from risks, controls, indicators and loss
causal analysis.
40
M03_BLUN7323_01_SE_C03.indd 40 29/06/2010 09:52

3 · Governance
Operational risk management framework ‘B’ Figure 3.3
ORM ORM
Governance Strategy and
and structure policy
Risk
identification
Risk
Reporting assessment/
quantification
RM process
Mitigation/
Monitoring
Management
Operational risk framework ‘C’ Figure 3.4
Governance
Environment
Identify
Independent assurance
Analyse risks
near miss/loss
Strategy/goals
causes
Identify
Action controls
Monitor plans
indicators
Assess
Assess risks
controls
Reporting
41
M03_BLUN7323_01_SE_C03.indd 41 29/06/2010 09:52

Having agreed on a framework in which the key elements of operational risk

management have been identified, the second element of governance is to for-
mulate an operational risk policy.
Operational risk policy

A clear operational risk policy supports the organisation in achieving its busi-
ness objectives. Along with the framework, it also allows the board and senior
management to communicate to all staff the approach of the firm to oper-
ational risk management. As such, the policy should be approved by the board.
The executive or management committee may develop the policy document
or, at a minimum, review and comment on it, but ultimate responsibility for
approving and implementing it rests with the board.
The contents of an operational risk policy vary from firm to firm and are
dependent on the firm’s culture and the typical structure of its policies. They
will also be consistent with the scale, nature and complexity of the firm.
An operational risk policy should, as a minimum, contain:
OO A definition of operational risk. This was dealt with in Chapter 1,
where we considered issues such as whether strategic and reputation risks
should be included and how the ‘boundary’ issue is to be dealt with, where
operational risk inevitably overlaps other risk types. One further consider-
ation is whether operational risk losses involve only ‘direct’ losses, i.e. those
where there is a debit to the P&L, or whether they include ‘indirect’ losses,
for example, the cost of internal staff, opportunity costs or lost profits
caused by an operational risk event (see Chapter 5, Events and losses, What
is meant by an event).
OO A statement of operational risk appetite. This is often a high-level in-
itial statement which will be broadened and deepened over time as the firm
gains knowledge of the operational risk management processes and how
these are used in the firm.
OO An overview of the operational risk management processes.
Although this is necessarily high level in a policy, it helps significantly in
making clear that the board and senior management are aware of, and have
considered how, operational risk management will be carried out by the
firm. It should include a short description of each process, together with the
links and reinforcements between each process, to show a considered, holis-
tic approach to operational risk management. The various processes will be
dealt with in detail in Chapters 4 to 9.
OO A statement of the roles and responsibilities of various personnel
and departments. It is especially important that the board recognises
and actively manages the potential conflicts of interest which exist between
operational risk, internal audit and compliance. This point is particularly
42
M03_BLUN7323_01_SE_C03.indd 42 29/06/2010 09:52

3 · Governance
applicable to any firms where operational risk management was initially car-
ried out by either internal audit or compliance. Clear roles for these three
areas must be documented. In smaller organisations, the three functions
often overlap. Extreme care should be taken, however, even in small firms,
to ensure the independence of internal audit (see Chapter 12, Internal audit).
OO A glossary of terms. It is vital that all staff have a clear explanation and
understanding of the various terms used in operational risk. Even seemingly
innocuous terms such as risk event, control and loss can give rise to confu-
sion if they are not clearly defined and understood.
In addition, policies will often have references to:
OO categories and sub-categories of risk and of operational risk
OO the role that central risk management plays in the firm (as compared
with the risk management units in the businesses)
OO how to deal with deviations from policy
OO how issues are escalated and resolved
OO risk reporting flows of information.
Many of these elements are dealt with elsewhere in the book, but it is worth
looking briefly at operational risk appetite, roles and responsibilities for oper-
ational risk management and give some suggestions of definitions which
might be helpful in compiling a glossary of operational risk terms.
Operational risk appetite
Defining operational risk appetite

A typical definition of risk appetite is as follows:
Risk appetite Definition

The risk of loss that a firm is willing to accept for a given risk-reward ratio
[over a specified time horizon at a given level of confidence].
The clause in square brackets gives more precision and is often included in def-
initions of risk appetite by more sophisticated firms which are further down
the road of risk modelling. Clearly this broad definition is as applicable to
operational risk as it is to other types of risk.
Trying to write a similar definition for operational risk appetite is more
difficult. One approach is to look at individual loss categories and to write
statements covering these.
43
M03_BLUN7323_01_SE_C03.indd 43 29/06/2010 09:52

Definition Operational risk appetite

Financial crime: The firm has no appetite for financial crime and will imple-
ment appropriate measures to control it.
Or
Reputational losses: The firm has no appetite for adverse media coverage and
will use every effort to ensure that events that could potentially lead to
such events are avoided.
Or
Legal and regulatory risks: The Group has minimal risk appetite and seeks
to operate to high ethical standards. (LloydsTSB Group Report and Accounts
2008)
Another might attempt to quantify its operational risk appetite as follows:
To manage the firm’s operations to ensure that unmitigated losses are no
more than x% of profit before tax in any three-year rolling period.
Or
The firm has no appetite for individual operational risk losses above £x
and cumulative losses of £y within a 12-month period. Any individual
operational risk losses exceeding £z are to be reported to the Audit and
Operational Risk Committees.
All of these definitions acknowledge, as we saw in Chapter 1, that the tra-

ditional view of risk appetite – that it should be a hard number and that it
should be limit based – is not appropriate for operational risk. Many oper-
ational risks are unavoidable and, even if an appetite for loss is agreed, it will
be exceeded, despite the controls and other mitigants which are in place.
The intelligent view of operational risk appetite recognises that, whilst
there are different ways of mitigating operational risk, thresholds and targets
are more relevant to operational risk appetite and not hard limits. Appetite can
also be expressed using the various processes in the operational risk framework.
We shall see how that can be achieved later in this chapter.
Operational risk appetite in the business

Determining the operational risk appetite of a firm is an important compo-
nent of any firm’s operational risk management approach. Used effectively,
operational risk appetite will influence the operational risk culture, operational
risk operating style and operational risk resource allocation. Operational risk
appetite, in common with other risk appetites, represents the firm’s view of
how much strategic risk can be taken to help achieve business objectives, while
respecting the constraints within which the firm operates.
44
M03_BLUN7323_01_SE_C03.indd 44 29/06/2010 09:52

3 · Governance
Whilst senior management, of course, plays a fundamental role in deter-

mining the operational risk appetite of the firm, it should be approved by the
board. This sends a clear signal to all staff that the operational risk appetite
agreed by the board should clearly govern the activities of all employees. It
also defines the boundaries within which the firm’s business objectives should
be pursued. From an operational risk perspective, this is fundamental, as oper-
ational risk identification and assessment is undertaken in relation to the firm’s
business objectives.
The operational risk appetite of the firm is also important in manag-
ing shareholder expectations regarding the amount and type of risk which is
accepted. Whilst the appetite of the firm for market risk and credit risk is rel-
atively easy to articulate and quantify, operational risk appetite will include
elements which cannot be measured quantitatively, including some risks for
which there may be no appetite whatsoever, such as employee deaths or in-
juries due to poor health and safety procedures.
Risk appetite and risk tolerance

Some firms seek to differentiate between operational risk appetite and oper-
ational risk tolerance. This is often explained by reference to the example of
theft of the firm’s assets. Whilst there is no appetite for theft in any organ-
isation, many senior managers expect that some level of theft of assets will
inevitably occur (if only of pens and paper clips). This level is tolerated even
though there is no appetite for allowing theft itself.
An example where there are different levels of appetite and tolerance in dif-
fering industries is the risk of ‘death or injury whilst working for the firm’. In
the financial services industry, as with all others, there is a zero appetite for
this risk. Financial services employees, though, are not exposed to the risk of
death or serious injury in their normal work, other than as targets for armed
raids, so that the outcome is likely to be in line with risk appetite.
The construction industry also has a zero appetite. But it is more likely, in a
high hazard industry, that deaths or injuries will occur. Having said that, and
possibly as a result of pressure from customers, employees and the public, con-
struction has put a lot of effort into improving safety over recent years and has
significantly reduced the number of deaths. According to the UK Health and
Safety Executive, fatalities have fallen from 5.9 per 100,000 workers in 2000/1
to 2.5 per 100,000 in 2008/9. Major accidents have fallen from 381 to 254
over the same period.
In 2008, one of Britain’s major construction companies, Balfour Beatty,
decided to take the process a stage further and introduced the ‘Zero harm’
project on its construction sites and throughout the company worldwide. Its
stated aim is that, from 2012 onwards, there will be:
45
M03_BLUN7323_01_SE_C03.indd 45 29/06/2010 09:52

OO ‘Zero deaths
OO Zero injuries to the public
OO Zero ruined lives among our people.’
Balfour Beatty has estimated that approximately half a million people
are working on their sites during a 12-month period, most of them sub-
contractors, and that figure excludes the public on and near their sites, for
whom they also accept responsibility. The project has an ambitiously low risk
appetite, but, as with all the best operational risk management strategies, it is
founded on good communication. The ‘Zero harm by 2012’ project slogan and
logo (see Figure 3.5) – ‘Zero Harm by 2012’ alongside a large zero in a strik-
ing shade of orange – are simple and powerful, and quickly and clearly convey
to employees and sub-contractors the company’s risk appetite.
Figure 3.5 Balfour Beatty ‘Zero harm by 2012’® logo1
Balfour Beatty sees eradicating serious accidents as a competitive virtue.

The common vision is shared by the group’s leadership; is constantly com-
municated at every level, including to sub-contractors who must sign up to
it; and best practice is freely shared and peer pressure keeps everybody driving
towards the target. The benefits of operational risk management in action.
A further example of zero appetite comes from the retail sector where theft
of goods is euphemistically referred to as ‘shrinkage’. Most firms will set a level
of shrinkage that is tolerated by senior management. However, the appetite of
the sector can be determined from notices posted around shops which clearly
state ‘Shoplifters will be prosecuted’.
Whose appetite is it anyway?

Another complicating factor for operational risk appetite is the question:
‘Whose appetite is it anyway?’ There are natural tensions between the board,
46
M03_BLUN7323_01_SE_C03.indd 46 29/06/2010 09:52

3 · Governance
senior management and the shareholders which lead to at least three levels of
appetite for any firm:
OO Senior management’s operational risk appetite is likely to be relatively
short term and focused on business opportunities which generate an appe-
tite which is inevitably bullish in nature, i.e. thresholds/targets are likely
to be significant in size. An example could be a merger, which will often
lead to acceptance of a considerable increase in operational risk to reflect
the period of significant change that will be involved. An intelligent senior
management will also increase its relevant operational risk thresholds.
OO The board’s risk appetite is likely to be longer term in nature and lower
than senior management’s. Continuing the merger example, the board
will state an operational risk threshold, perhaps in terms of the capital
it is willing to risk. This may well be exceeded by senior management,
even though it is attempting to manage to the board’s operational risk
policy threshold. The issue will then be resolved, depending on the
firm’s culture and processes of communication and reporting between
senior management and the board.
OO The shareholders’ risk appetite is likely to be the lowest of the three and
will probably be focused on the smallest possible volatility in earnings
consistent with a reasonable return.
It is important for the board periodically to review and challenge the risk
appetite which has been proposed by senior management. Following the
review or challenge the board should reconfirm its appetite, with appropriate
changes where necessary. During the challenge period, the board should assure
itself that senior management has considered all foreseeable emerging oper-
ational risks to which the firm may be subject and that appropriate processes
and resources are being utilised to manage them.
Within the firm there will also be different approaches to operational risk
appetite at each level, so that we need to ask the question: ‘At which level within
the firm are we considering our operational risk appetite?’ In any firm there are
at least four levels which have different approaches to operational risk appetite:
OO the board, who will frequently seek a risk appetite in terms of capital
(either economic or regulatory) and profit
OO senior management, who will tend to define operational risk appetite in
terms of risk and the action taken to manage and mitigate each risk
OO business units, which may well use the classic approach to operational
risk management of defining their operational risk appetite through risk
and control assessments, key risk indicators and loss data
OO business support functions, which mostly focus on key risk indicators
and loss data.
47
M03_BLUN7323_01_SE_C03.indd 47 29/06/2010 09:52

This is shown diagrammatically in Figure 3.6.
Figure 3.6 Appropriate levels of risk appetite
Board define ORA in terms of capital

Board
Senior business sector management define ORA in terms
Senior of risk and reaction
management
Business units define ORA in terms of risk control
self-assessment, KRIs and loss data
Business unit
Business support functions define ORA in terms
of KRIs and loss data
Business support function
Reputation risk appetite

One of the challenges which the board should give to senior management is
proper consideration of reputational loss. Whilst some firms consider repu-
tational loss as part of the overall impact of a risk event, others consider
reputational loss as a separate impact, often using the same scale as is used
for risk impact scoring. If this is done, the reputational loss may be greater
than, or less than, the impact to the firm from the direct loss from an event.
Combining the two assessments will give a total risk loss. However, if the two
assessments are kept separate it is possible that there will be double-counting
of some elements.
Expected and unexpected losses

Before looking at different ways of expressing operational risk appetite there
is one other point which needs to be considered: which type of operational
risk appetite is the firm considering – expected or unexpected operational risk
appetite? The expected operational risk appetite reflects the amount of loss to
which the firm is subject, assuming that its controls are operating normally.
This is effectively ‘business as usual’ and is a relatively easy level of loss to
identify and measure, as it is the amount of loss which the firm suffers on a
regular day-to-day basis. It is usually provided for in the budget or in special
provisions. This expected operational risk appetite can, of course, be back-
tested by comparing it with actual attritional losses.
From a strategic perspective, it is more helpful to consider the unexpected
loss that a firm may suffer. This is the loss to which the firm is subject when
48
M03_BLUN7323_01_SE_C03.indd 48 29/06/2010 09:52

3 · Governance
controls fail. It is a much larger figure than the expected loss, as it is usually at
a lower frequency and higher severity. It is, therefore, more difficult to identify
and calculate. Scenario analysis can be helpful when considering operational
risk appetite at an unexpected loss level (see Chapter 9, Stress tests and scen-
arios). If mathematical models are used in the calculation of unexpected losses,
the process will almost certainly be less accessible to most senior management,
unless they are given statistical training. Unexpected loss is effectively what a
firm’s capital and profits are there to absorb.
Different ways of expressing operational risk appetite

Many commentaries on risk appetite state that it should be firmly grounded in
the firm’s financial reporting. From the perspective of operational risk appe-
tite this is often easier said than done. However, there are a number of ways in
which the various components of the operational risk management process can
be used to define and manage operational risk appetite.
Absolute figures
At an individual risk level, the main link to the firm’s financials is through
the amount of loss that the firm is willing to accept in relation to that par-
ticular risk. One practical way of expressing the firm’s operational risk appetite
is therefore through the monetary loss which the firm is willing to accept for
each risk to the strategic objectives.
Figure 3.7 shows how a firm may deduce its risk appetite by considering its
actual losses against a loss distribution, with the capital determined at a spe-
cific confidence level. This can be done at an overall firm-wide loss level or at
Risk appetite in relation to actual loss experience Figure 3.7
Actual loss experience

Unexpected
loss
Losses
Appetite
(tolerance)
Mean
Expected loss (BAU)

Time
49
M03_BLUN7323_01_SE_C03.indd 49 29/06/2010 09:52

a loss category level, where sufficient data exists to generate a reliable distribu-
tion and its analysis.
The board may decide that its acceptable risk tolerance lies at the mean of
the losses incurred over a given period of time for a particular risk. It can then
decide at what point on the curve it should identify thresholds, including for
the level of loss it considers unacceptable. Once this is established, risk assess-
ment can be matched to a scale of monetary values as a basis for risk appetite.
Risk and control assessments

As a starting point low, and following the board’s overall risk policy, accept-
able, warning and unacceptable levels of annual loss are separately identified
for the firm as a whole, probably at risk committee or board level. But wher-
ever they are agreed, it is important that the decisions are made independently
of the figures which emerge from the risk and control assessment itself. These
loss thresholds are shown at the top of Figure 3.8 and form the basis for the
identification of risk appetite by risk.
Figure 3.8 Risk appetite using risk assessment scores (1)
Annual loss thresholds

Low 25,000
Acceptable 100,000
Warning 450,000
Catastrophic 1,500,000
Impact per event (£)

Lower bound Upper bound Mid-point
Low 0 50,000 25,000
Med-low 50,000 150,000 100,000
Med-high 150,000 500,000 325,000
High 500,000 1,500.000 1,000,000
Likelihood of event (per annum)

Lower bound Upper bound Alternative label Mid-point
Low 0.04 0.10 10% likely in next year 0.07
Med-low 0.10 0.33 30% likely in next year 0.22
Med-high 0.33 1.00 Very likely in next year 0.67
High 1.00 12.00 Several times in next year 6.50
Ranges are assessed for the impact and likelihood of each risk, which are
used to calculate a mid-point for each band (see Figure 3.8). It is then a
simple matter for the mid-points for impact and likelihood to be multiplied
to achieve a heat map which can be coloured according to the appetite levels
already identified (see Figure 3.9).
50
M03_BLUN7323_01_SE_C03.indd 50 29/06/2010 09:52

3 · Governance
Risk appetite using risk assessment scores (2) Figure 3.9
High 70,000 220,000 670,000 6,500,000
Med-high 22,750 71,500 217,750 2,112,500

Impact
Med-low 7,000 22,000 67,000 650,000
Low 1,750 5,500 16,750 162,500

10% Likely 30% Likely Very likely Severe
Likelihood
From the format used in Figure 3.9 it is possible to see immediately which
risks in the risk assessment are outside the agreed appetite. At the bottom left-
hand corner, the values should be easily ignored as they are so small. If any
risks are in the top right-hand corner, immediate action should be taken as
these are considerably beyond acceptable levels.
Using risk and control assessments

Another method of setting and managing operational risk appetite, as will be
seen in Chapter 4, Risk and control assessment, is to use risk assessment scores
which are linked with the quality of the mitigating controls and displayed
graphically, as in Figure 3.10.
This graphical representation of risk and control assessment scores is con-
structed through multiplying the likelihood and impact scores for a risk and
multiplying the relevant control design and control performance scores. This
allows a comparison of the relative levels of different risks and their mitigating
controls and enables an implied current risk appetite to be derived.
For example, from Figure 3.10, it appears that the risk ‘Operational threats
to IT’ is relatively small at a gross level and is very well controlled. This
implies that the firm has a very low appetite for this risk as it has a high miti-
gation level. If this is not the case, the firm can afford to reduce its controls
and free up resources which can be applied elsewhere.
The risk ‘IT dependency on people’ has been assessed as quite high although
the controls have been assessed as relatively poor. The implication here is that
the firm has a high appetite for this risk. If this is not the case, the firm should
put in place action plans to enhance its controls. These may be drawn from the
freed up resources in the paragraph above.
Approaching operational risk appetite in this way means that the firm can
adjust its resource application to be more consistent and better fit its actual
appetite, whilst keeping its resource spend at a minimum level.
51
M03_BLUN7323_01_SE_C03.indd 51 29/06/2010 09:52

Figure 3.10 Risk appetite using risk and control assessment scores
Computer applications
poorly specified
Systematic approach 200.0 Computer systems not
to IT strategy 180.0 adequately protected
160.0
140.0 Systems and processes not
IT dependency on people 120.0
adequately protected
100.0
80.0
Systems manuals 60.0 Systems and
and procedures 40.0 processes not
documentation 20.0 adequately protected
0.0
Training procedures Dependency on

for IT technology
Operational threats to IT Dependency on

external suppliers
Testing of systems Legacy systems will not

Investment support business
in technology
Risk
Control
Using risk indicators

An alternative method for setting risk appetite is through key risk indicators
(KRIs). This enables one or more appetites to be set for the same risk depend-
ing on the number of indicators identified for that risk. As noted in Chapter
6, Indicators, KRI thresholds explicitly identify a firm’s risk appetite. Figure
3.11 shows a green band for the indicator of down to 3 and up to 7. Clearly
therefore if the indicator reaches 3 or 7 the appetite for this indicator has been
breached. Equally if the indicator reaches 1 or 8 there is a significant breach of
appetite resulting in the indicator being in the red band.
As a practical example, consider the bands for the risk ‘Loss of IT system’
and the indicator ‘Number of help desk queries’ in Figure 3.12.
The boundaries of the firm’s appetite around the indicator of ‘Number of
help desk queries’ are very clear (and by implication the management of the
risk of loss of IT system is much clearer than it might otherwise be). The
usual number of queries expected is between 7 and 15 per day. If ‘Number
of help desk queries’ is over 25 per day this is a clear signal that the systems
52
M03_BLUN7323_01_SE_C03.indd 52 29/06/2010 09:52

3 · Governance
Risk appetite using KRI thresholds Figure 3.11
Risk appetite using KRI thresholds for ‘Number of help desk queries’ Figure 3.12
Red Amber Green Amber Red

2 or fewer 3 to 7 7 to 15 16 to 25 over 25
are failing the business and that there is a very high likelihood of a loss of the
entire system. In this event, there is clearly a senior management problem that
requires immediate attention. If ‘Number of help desk queries’ ever reached
those levels it would be likely to be referred to the board as loss of IT system is
a typical strategic risk. If ‘Number of help desk queries’ is 2 or fewer, the firm
should question whether or not there may be a problem with apathy in the firm
towards the help desk (due to the number of unanswered help desk queries, for
example) which may indicate probable likely failure of the IT system too.
Using numbers of losses

Comment has already been made on the size of loss attributable to an oper-
ational risk being one way to express the appetite for that risk. However,
an even simpler measure relating to losses is the number of losses. This is a
53
M03_BLUN7323_01_SE_C03.indd 53 29/06/2010 09:52

straightforward count of the number of losses relating either to a particular

risk or to a category or sub-category of risks.
Figure 3.13 Risk appetite using number of losses
In Figure 3.13 it can be seen that, by business line, there is a range of between
10 and 79 for the number of losses captured relating to external fraud. It may
be that the firm has different appetites for different business lines. For ex-
ample, external fraud may be more likely in retail parts of the firm, although
the impact is likely to be smaller than in the corporate and wholesale parts
such as Trading and Sales or Corporate Finance. However, a simple count
across the firm can be used for an appetite for external fraud and this may be
said to be no more than 20 losses in the period. If this is the case, four out of
the eight business lines have exceeded the firm’s appetite for external fraud.
This may result in an action plan to investigate the relevant controls in the
four delinquent business lines, perhaps carried out by internal audit.
Using economic capital

Operational risk appetite, in common with other risk appetites, can also be
expressed in terms of the regulatory capital required to support a business
line and with reference to particular loss event types. Figure 3.14 gives an
example of this and shows the capital required to support the risks allocated
to each cell. It can be seen that column 4, Clients, Products and Business,
is a significant consumer of capital and that Retail Banking and Trading &
Sales have probably exceeded the firm’s risk appetite for this loss event type.
Additionally, the Payments & Settlements line of business has suffered a
54
M03_BLUN7323_01_SE_C03.indd 54 29/06/2010 09:52

3 · Governance
Risk appetite using regulatory capital modelling Figure 3.14
massive internal fraud which has also undoubtedly exceeded the firm’s risk
appetite for this loss event type.
Roles and responsibilities statements

There are a number of individuals, functions and bodies which will be assisted
in carrying out their operational risk duties by having a statement of roles
and responsibilities with respect to operational risk. These include the board,
audit committee, executive operational risk committee, the business lines, the
internal audit function, the compliance function and the head of operational risk.
Examples for each of these are given below, but they are only a guide. How
statements of this sort are used will depend not only on the actual responsi-
bil-ities of individuals within each firm, but also the way in which such
statements are expressed and disseminated within individual firms.
Board of directors
The board sets the tone and culture of the firm and also the business objec-
tives. In addition, it has a vital oversight role. Given this, it is important
that its role and responsibilities in operational risk are clearly articulated and
understood. The board should:
OO understand the operational risk profile
OO approve the operational risk policy and operational risk management
procedures
55
M03_BLUN7323_01_SE_C03.indd 55 29/06/2010 09:52

OO periodically assess the effectiveness of its operational risk governance

practices and oversight
OO determine that senior risk executives are qualified, and fit and proper to
manage operational risk
OO provide oversight of operational risk, and question and insist upon
straightforward explanations from senior management
OO make sure the information it receives is appropriate and of sufficient
quality to support and not hinder its risk oversight role
OO receive on a timely basis sufficient information to judge the performance
of senior management with regard to operational risk, in particular using
the work conducted by the internal audit function, external auditors and
the various internal control functions
OO implement a programme of ongoing education in operational risk for
board members.
Finally, and most importantly, one board director should have particular
responsibility for risk.
Audit committee
The roles and responsibilities of the audit committee in relation to internal
and external audit are considered more fully in Chapter 12, Internal audit.
Increasingly, boards are forming separate risk committees to maintain board
level oversight regarding risk management and reporting. The Walker Review
of governance in banks, which was instigated by the UK government in the
aftermath of the financial crisis of 2007/9, recommended that all FTSE-100
banks and other major financial institutions should establish a board risk com-
mittee separate from the audit committee.2� However, where this is not the
case, the audit committee should:
OO keep the firm’s internal controls and operational risk management sys-
tems under review
OO receive reports from management on the effectiveness of operational risk
management systems and of any tests carried out on them
OO review and approve any statements about operational risk management
contained in the company’s public financial reports.
Executive operational risk committee

The board of a larger firm may have established a risk committee but, fail-
ing that, an executive operational risk committee is the most senior body with
direct and explicit expertise to consider operational risk management in a
firm. In Chapter 12, Internal audit, we consider the three lines of defence for
risk management: business operations (line 1), risk oversight via finance, risk,
56
M03_BLUN7323_01_SE_C03.indd 56 29/06/2010 09:52

3 · Governance
compliance and other functions (line 2), and independent assurance via internal
and external audit (line 3). The executive operational risk committee is one of
the points where lines 1 and 2 come together. It should:
OO be chaired by the chief risk officer (or the CEO)
OO include the head of operational risk
OO include representatives from the business lines
OO receive reports, highlighting major operational risk issues
OO advise the board on operational risk appetite and tolerance for future
strategy, taking into account the board’s overall degree of risk aversion
and the current financial situation of the firm
OO develop quantitative as well as qualitative metrics for risk assessment
OO oversee a due diligence appraisal of the operational risks of any proposed
strategic transaction, particularly one involving acquisition or disposal –
even if operational risk management is or has been part of the project team
OO produce a separate annual report on its work, focusing on the govern-
ance of risk, the relevance of the committee’s work to current and future
risk strategy and recognising that there may be a potential overlap with
reporting by the audit committee
OO recognise that taking external advice is consistent with the board’s duty
of care, where sufficient skill or knowledge is lacking in a technical area
of operational risk.
Business lines
The ‘three lines of defence’ model explicitly recognises the primary role of the
business line in managing risk in a firm. Business lines are responsible for the
risks they generate. As part of their responsibilities for line operational risk
management they should:
OO develop operational risk awareness and an operational risk culture within
the business line
OO own the risks which they generate and their controls
OO own the operational risk profile and operational risk appetite of the busi-
ness line
OO identify and assess the relevant business line risks and their mitigating
controls in line with policy
OO monitor, manage and review their risks
OO manage and report incidents, events, losses and near misses in line with
policy and guidelines
OO keep risk exposures within limits and follow policies when limits are
breached, including escalation as appropriate
57
M03_BLUN7323_01_SE_C03.indd 57 29/06/2010 09:52

OO support the risk management organisation in recognising and assessing

risk, including:
OO fully disclosing known risks
OO being aware of the market environment and its influence on risk
OO recognising and disclosing when conditions or assumptions change
OO accurately represent risk exposures in management information, risk
management and other systems

OO obtain approval, including from the operational risk function, of new
products.
Internal audit
Although Chapter 12 deals extensively with the internal audit function, it is
worth commenting, in a chapter on governance, on the confusion there often
is between the internal audit function and the operational risk management
function. There shouldn’t be any confusion if it is clearly recognised that the
operational risk function has an oversight role (line 2 of the three lines of
defence in Figure 12.1), whilst internal audit is part of the independent assur-
ance process, line 3.
The confusion probably arose from the fact that operational risk started life
within internal audit on the basis that it was the only function which under-
stood all the firm’s internal processes. Operational risk managers should be
involved in establishing processes, with the business line, which cover all aspects
of operational risk and providing reports to the board and senior management.
It is internal audit’s responsibility to review those processes regularly, to assess
their effectiveness and to report on the review to the board. Internal audit pro-
vides assurance to the board that operational risk is effectively managed.
Of course, there will be liaison between the two functions, but internal
audit should not be involved in establishing processes or, for instance, produc-
ing scenario assessments. It is there to provide assurance and can hardly give
assurance on something on which it has been a party to creating.
Compliance function
There is also often confusion between the roles and responsibilities of the
compliance function and those of the operational risk management function,
although in this case both are part of the line 2 oversight function (see Figure
12.1). Whilst the compliance function primarily focuses on regulatory require-
ments, whatever the industry, these are a sub-set of the overall focus for the
operational risk management function, which has a broader and more business
oriented portfolio. In respect of operational risk management, the compliance
function will:
58
M03_BLUN7323_01_SE_C03.indd 58 29/06/2010 09:52

3 · Governance
OO liaise with the operational risk department on regulatory approaches

which relate to operational risk issues
OO be involved with all communication and responses to appropriate
regulators
OO manage operational risk compliance obligations, such as those associ-
ated with health and safety regulations or financial services regulatory
requirements
OO manage operational risk events which are primarily compliance focused.
Head of operational risk

It is often assumed, because risk management is generally a control function
and has an oversight role, that it should be independent from the business to
prevent any conflicts of interest or undue influence on its decisions. Whilst
that may be true of control functions, such as those involved in counterparty
credit risk or market risk, it is not true of the operational risk management
function. Operational risk is an integral part of the business. As we said in
Chapter 1, it is effectively business risk. It is therefore impossible to dissoci-
ate its management from the business and establish an organisational structure
where it has the appearance of independence.
The role of the credit or market risk function is to approve and decline risk
limits and monitor risk exposures. There is an inevitable tension between the
sales or distribution functions and the control functions exercised in respect
of market and credit risk which means that the control function should be
independent. Credit and market risk limits need independent monitoring
or vital controls will be compromised. Operational risk thresholds are set by
the business, with the assistance of operational risk, and require an in-depth
knowledge of the business, both where it is and where it is going. Setting and
monitoring operational risk thresholds would inevitably be compromised if the
function had to remain in some way independent of the business.
A further example of the difference between the operational risk function
and the other risk functions relates to the ability to decline an exposure. This
simply doesn’t happen with operational risk, where the operational risk func-
tion acts more as a specialist adviser to senior management and the board and
does not have the ability to prevent the firm from taking additional oper-
ational risk exposure or preventing operational risks from occurring.
Given this, the role of the head of operational risk (or the chief risk officer if
the firm is too small to have a separate head of operational risk) is to:
OO establish, implement and maintain a framework for identifying, assess-
ing and managing operational risks
OO set and agree firm-wide operational risk priorities
59
M03_BLUN7323_01_SE_C03.indd 59 29/06/2010 09:52

OO act as the operational risk adviser to the firm, and in particular guide
senior management in their operational risk management responsibilities
OO bring an operational risk focused viewpoint to strategic planning and
other activities of senior management
OO facilitate the implementation of the operational risk processes, providing
coaching and guidance to business line management
OO manage the process for setting the operational risk appetite
OO monitor and manage the firm’s overall exposure to operational risk
OO ensure a consistent approach to operational risk across the lines of
business
OO coordinate appropriate and timely reporting of operational risks
OO coordinate operational risk input to the risk committee and the board on
the firm’s risk profile, control infrastructure and any control failings or
weaknesses and actions taken
OO coordinate input to the regulators on relevant operational risk matters
OO liaise with the internal audit department.
Glossary
The importance of all staff having a clear understanding of operational
risk terms has already been highlighted. One way of ensuring that every-
body is speaking the same language is to provide a glossary of terms in the
operational risk policy document. Examples of terms and definitions which
might be included are as follows.
Terminology Action Process of doing something in order to enhance a control

or change the impact of a risk event.
Control A preventative or detective feature within a process
which has been developed to facilitate action either
to reduce or eliminate the likelihood of occurrence and
impact of a risk event. A control is directly related to the
cause or impact of a risk event.
Control failure The malfunction or the overriding of a feature that has
been designed to manage the likelihood of occurrence
or impact of a risk event. The control has therefore been
proven to be inappropriate in terms of its design, and/or
ineffective in terms of its performance.
60
M03_BLUN7323_01_SE_C03.indd 60 29/06/2010 09:52

3 · Governance
Design The manner in which a control is intended to operate.

Impact The consequences from the occurrence of a risk event.
Consequences could include elements such as legal
liability, regulatory action, loss of damage to physical
assets, restitution, loss of recourse and write-downs.
Incident Used in business continuity planning to describe the
event or circumstance which will trigger a business
continuity response.
Indicator Something that is observed or calculated that shows the
state of a risk or of a control.
Indirect loss The occurrence of a distinct risk event which does not
directly impact the firm’s profit and loss account or
balance sheet. This may be loss of sales through loss of
an IT system or less growth achieved than budgeted.
Likelihood The degree of probability of the occurrence of a risk
event.
Loss The occurrence of a distinct risk event that actually
impacts the firm’s profit and loss account or balance
sheet.
Near miss Either an event which would have occurred if the final
preventative control had not worked, or an event which
did not result in an actual financial or non-financial loss
or harm due to the correct operation of detective and/or
corrective controls or simply the random nature of events.
Performance The manner in which a control actually operates in real
life, and not in theory.
Risk An occurrence that may cause damage or loss through
preventing or hindering the achievement of a firm’s
objectives.
Risk cause Factors or dynamics which contribute to, accelerate or
lead (directly or in combination with other causes) to
the occurrence of a risk event.
Risk event A distinct occurrence which may impact the firm’s
profit and loss account or balance sheet, either nega-
tively or positively. A risk event does not have to have a
financial component and may be entirely non-financial
in its effect.
Scenario An imagined sequence of possible risk events that are
together extreme but plausible.
61
M03_BLUN7323_01_SE_C03.indd 61 29/06/2010 09:52

Timeline
The final part of governance is to implement the operational risk framework.
The timeline sets out the project timetable which incorporates the six main
operational risk processes and also important items such as staffing.
Given the number of interlinking processes in operational risk management,
a timeline to identify when each process is expected to be operational is impor-
tant to the necessarily phased introduction of operational risk management to
a firm. In addition, at some stage, the firm will need to implement a software
tool to capture and handle the significant amount of data being captured or
created. A timeline will assist the firm in deciding when a tool will be useful
and when or if it will be indispensable and plan accordingly.
The chart (see Figure 3.15 for an example) will also enable the efficient
management and review of the development of operational risk manage-
ment. Senior management and the board will find that they can more easily
understand the implications of changing the speed of the development of
operational risk.
If the governance is right, then almost certainly operational risk manage-
ment will be right. With proper operational risk governance in place, there
will be commitment from the top, acceptance through the middle, and policies
in place to establish the operational risk framework, which is what we shall
cover in the next few chapters.
Figure 3.15 Example timeline for implementing an operational risk

management programme
0 – 3 months 3 – 6 months 6 – 9 months 9 – 12 months 12 – 15 months
Policy ORM Policy Risk Committee meetings
RCA Bus Line and Dep‘t’l RCAs

Embedded risk and control
Risk
assessments, including risk
matrix Bd RCA
champions
Events and Initiate capture Loss causal analysis linked to RCAs

losses
Technology Selection Implement’n Rollout (initially pilot)

tool
Staffing Require’ts
review Recruitment/staffing
Modelling Op Risk ICAAP model Op risk model including qualitative adjustments
Indicators KCIs captured/ KRIs identified, captured and

reviewed combined with KCIs
Reporting Summarised reporting

of RCAs & KCIs Risk status report
62
M03_BLUN7323_01_SE_C03.indd 62 29/06/2010 09:52

3 · Governance
Notes
1 A registered trademark of Balfour Beatty plc, registered in England as a public limited
company; Registered No: 395826; Registered Office: 130 Wilton Road, London SW1V
1LQ. We are very grateful to Andy Rose, Group Managing Director, Balfour Beatty plc,
for his time and assistance in explaining the ‘zero harm’ project. For further information
about the ‘Zero harm’ project, see www.balfourbeatty.com/bby/responsibility/safety/
highlights/.
2 HM Treasury, A review of corporate governance in UK banks and other financial industry
entities, Final recommendations, 26 November 2009. www.hm-treasury.gov.uk/d/walker_
review_261109.pdf.
63
M03_BLUN7323_01_SE_C03.indd 63 29/06/2010 09:52

M03_BLUN7323_01_SE_C03.indd 64 29/06/2010 09:52
4
Risk and control
assessment
Aims of risk and control assessment

Prerequisites
Basic components
Avoiding common risk identification traps
Assessing risks
Owners
Identifying controls
What a risk control assessment looks like
Action plans
How to go about a risk and control assessment
Using risk and control assessments in the business
Why do risk and control assessments go wrong?
Summary
65
M04_BLUN7323_01_SE_C04.indd 65 29/06/2010 09:52

Aims of risk and control assessment

The objective of a risk and control assessment is to identify, measure and mon-
itor the risks and controls to which a firm is subject.
The risk and control assessment can be qualitative, quantitative or both. A
qualitative risk and control assessment will be based on value judgements such
as high, medium high, medium low and low. In contrast, a quantitative risk
and control assessment will assess the risks identified through actual numbers,
such as percentages for likelihood and monetary values for impact.
Business objectives/processes/activities
A risk and control assessment aims to capture the risks and controls of a firm
at the appropriate level. The level required may be strategic, process or activ-
ity, as shown in Figure 4.1. A strategic risk and control assessment will derive
its risks and controls from the business objectives of the firm and what will
prevent the firm from meeting its business objectives. Similarly, the risk and
control assessment carried out at the process level will have regard to processes
which a firm undertakes and the objectives of those processes. These may be
high-level processes, i.e. those carried out at the business unit level, or may
be lower-level processes carried out at a departmental level. Processes will
ultimately break down into many activities. The risk and control assessment
carried out at an activity level will therefore produce a significant number of
risks and controls.
Figure 4.1 Levels of risk and control assessment
Objectives Strategic risk Strategic control
Process Process risk Process control
Activity Activity risk Activity control
Benefits to firms
There are many benefits to firms in carrying out risk and control assessments.
These range from a clearer understanding of the operational risks which the
business faces, through identifying risks which have insufficient controls, to
66
M04_BLUN7323_01_SE_C04.indd 66 29/06/2010 09:52

4 · Risk and control assessment
setting action plans to enhance existing controls and implement new controls.
A clear understanding of risks will also point to opportunities for profitable
risk-taking and business optimisation (see Chapter 2, The business case for
operational risk management).
In detail the benefits include:
OO a comprehensive understanding of the business’s operational risk profile
OO more accurate information regarding the level of risk to the business
OO identification of potential risk hotspots and control bottlenecks
OO a defined structure to risks and controls, which provides an effective and
consistent treatment of risks across the firm and consistent risk reporting
OO managing risks and mitigation as a ‘portfolio’ to help the business make
a clear link between risk and performance
OO increased acceptance of a risk culture in the business by assisting those
who are responsible for managing risk on a day-to-day basis
OO embedding risk management processes into the core processes of the
business
OO communicating the firm’s view of its risks and controls to existing staff
and new recruits
OO enabling risks associated with cross-functional processes to be managed
more effectively
OO a better response to issues within the business, as the risks are more
clearly understood
OO further assurance to the board that the statements in the annual report
are accurate
OO improved business continuity planning
OO documentation of risks and controls for use by external stakeholders such
as regulators.
Prerequisites
Operational risk framework

An operational risk framework is an essential prerequisite for the effective and
efficient conduct of a risk and control assessment. A framework provides a clear
understanding of the structure and process around the identification of risks
and controls and how the risk and control assessment fits into the overall man-
agement of operational risks (see Figure 4.2).
As discussed in the previous chapter, the operational risk policy, approved
by the board, will state at a high level how operational risk is to be managed.
67
M04_BLUN7323_01_SE_C04.indd 67 29/06/2010 09:52

Figure 4.2 Typical operational risk framework
Governance
Reporting
This will include a vision, guiding principles, high-level procedures, strategy

and reporting lines. The policy is also likely to give the governance structure
within which operational risk is managed, including ultimate and intermedi-
ate responsibilities, information flows (both up and down the firm) and how
operational risk is used within the firm.
Board commitment and sponsorship

It is important that there is clear commitment from the highest level of the firm
before beginning the risk and control assessment. The board should approve the
operational risk policy and a full member of the board should have responsibil-
ity for the management of risk. Without such sponsorship, a risk and control
assessment will not be taken seriously and it is very unlikely that the risks and
controls which the firm faces will be fully identified and monitored.
Business objectives
Risk and control assessments should start at a strategic level. It is therefore
necessary to have a list of the business’s strategic objectives so that the assess-
ment can be carried out in relation to the principal aims of the firm. Without
the business objectives to provide a focus, the risk and control assessment
will lack an appropriate level in which to place its risks. The result will be
a mixture of high-level, process and activity risks, which will give very little
business benefit, due to the heterogeneous nature of the risks (and therefore
68
M04_BLUN7323_01_SE_C04.indd 68 29/06/2010 09:52

the controls) and the lack of any clear connection with the business objectives
relevant to each level.
Process and activity maps

These are not necessary, but if the firm is starting its risk and control assess-
ment at a process level, it is useful that the processes are mapped so that all
the processes are captured and the risk points can be seen. This is especially
important if the process risk analysis is being carried out at a detailed level
or at an activity level. The maps will help to identify where controls may be
weak and therefore assist in control analysis. This can also be the start of pro-
cess improvement, particularly through Six Sigma and Lean analyses. However,
whilst it is possible to start risk and control assessments at a process or activity
level, it is not recommended as it is very difficult to show quick business wins.
Much better is to start at the top at the business strategy level.
Basic components
Risk events
A risk event is an unchanging and distinct occurrence which may impact the
firm’s profit and loss account or its balance sheet. An event can have its origin
in a number of causes or triggers, which may vary through time. An event may
also generate different consequences or effects, which may also vary over time.
However, the event itself is immutable. A risk event is evaluated in terms of
the likelihood and the impact of a risk.
Cause, event and effect Figure 4.3
Cause Event Effect
Clash of world cultures Planes colliding with Major buildings claim

Lax airport security buildings Many deaths
Cigarette Building burns down Loss of building

Lack of sprinklers Insurance claim
Poor storage Loss of business
Controls breakdown Internal fraud Jail for trader

Markets go ‘wrong’ way Regulatory fine
Performance-based pay Loss of reputation
69
M04_BLUN7323_01_SE_C04.indd 69 29/06/2010 09:52

Risk owner
A risk owner has direct and explicit responsibility for the management of
the risk event. This will ultimately be a board member, but ownership will
be delegated down to an appropriate level and individual. Given that oper-
ational risk involves everybody in the firm, it could be said that everybody is
a ‘risk owner’. The identification of a specific risk owner ensures transparency
and clarity over the management of a risk. It also enables the firm to judge
its concentration exposure in terms of management responsibility for risks,
as risk owners generally own several risks. The firm should try hard therefore
to identify a single owner for each risk. However, for certain risks, composite
owners are unavoidable. These will include a number of strategic risks, which
the board will own as a whole.
Control
A control is the element within a process which has been developed to facili-
tate action to reduce or eliminate either the likelihood or impact of a risk
event. A control is evaluated in terms of its design and performance.
Control owner
An owner of a control is an individual with responsibility for executing a con-
trol procedure. Several controls can be owned by one individual.
Action plans
Action plans are created in response to a control that does not reduce the risk
to within the firm’s tolerance for that risk. They modify or add to existing con-
trols so that the risk is within the agreed appetite.
Avoiding common risk identification traps

The first task when undertaking a risk and control assessment is to identify
the risks which are to be assessed. That sounds simple enough, but there are a
number of traps into which it is easy to fall.
Risk register
A risk register lists all the risks identified by a firm by risk category and may
also be known as a risk inventory, a risk library or a risk list. Whilst it is useful
to have a full list of risks identified by the firm, it can be constraining in a risk
70
M04_BLUN7323_01_SE_C04.indd 70 29/06/2010 09:52

and control assessment, since participants tend to focus on the list rather than
on what might prevent the firm from achieving its strategic objectives or the
process from being carried out. Given that one of the purposes of a risk and
control assessment is to identify the risks, the existence of a risk register begs
the question as to how the risks in the register were identified and to what the
risks relate. If there is a risk register, put it to one side and start the risk and
control assessment from scratch. The register can be used later to check that no
significant risks have been forgotten.
Cause/trigger
A cause or trigger is something which precipitates a risk event. These are help-
ful in identifying risk events and in avoiding confusion between a cause and
an event. However, causes are more useful in assisting the identification of an
efficient action plan; the prevention of a cause will, by definition, prevent a
risk event.
Bear in mind, though, that causes of risk events change over time, so that
preventing a cause today will not necessarily prevent the same risk event from
occurring tomorrow from a different cause. Just as one cause can trigger many
risk events, so a risk event can be triggered by many causes.
Effect/consequence
A risk effect or consequence is an occurrence which is precipitated by a risk
event. These are often confused with risk events as they are the most obvi-
ous outcome of a risk event actually happening and are often easier to control
or manage than the event itself. The control of an effect can give immediate
short-term assurance to a risk owner, without having to undergo the more
intellectually rigorous and longer analysis of the risk which precipitated the
effect in the first place.
Indicators
Indicators show the movement in the likelihood or impact of a risk, in the
design or performance of a control, or in the performance of a firm in re-
lation to its objectives or processes. As such, existing key indicators are useful
in identifying the risks and controls on which the firm focuses. However, key
risk indicators and key control indicators are often mixed with key performance
indicators, so a first step is to sort the indicators (see Figure 6.2 and Chapter 6
in general). Although there will be business benefit in sorting indicators into
logical and consistent sets, this activity is likely to be outside the scope of a risk
and control assessment and will therefore generally be undertaken separately.
71
M04_BLUN7323_01_SE_C04.indd 71 29/06/2010 09:52

Losses
Losses are the monetary result of a risk event occurring. Losses are often col-
lected by firms, particularly in internal audit reports and reports to the audit
committee. When loss causal analysis is used, this can again be helpful in iden-
tifying the risks which have occurred and controls which have failed. However,
the risks will have been identified without any reference to the business objec-
tives or processes and are often couched as control failures relating to causes
or effects, rather than as risk events which resulted from the control failures.
Again, care must be taken and additional work will probably be required for
the analysis to be used in the risk and control assessment.
A firm’s losses will only give a historical view of the risk events to which it has
previously been subject. It is therefore important to understand that there will be
many more potential risk events than are identified by a loss causal analysis.
See also Chapter 5, Events and losses.
Stress tests and scenarios

A firm which has not yet performed a risk and control assessment will be
unlikely to have contemplated stress tests and scenarios. Risk and control
assessments give a valuable insight into the likely causes and effects of the risk
events about which the firm is most concerned. Without a risk and control
assessment it is unlikely that the firm will have separated causes from effects, a
fundamental element to building scenarios.
See also Chapter 9, Stress tests and scenarios.
Link to objectives/processes/activities
A risk and control assessment must be related to a business objective or pro-
cedure and must not be performed in isolation. It should start, and often does, as
a strategic assessment linked to the business objectives, although assessments can
be carried out on processes, activities and projects. The explicit link with busi-
ness objectives gives the risk and control assessment a focus and enables risks to
be identified within a framework and therefore at an appropriate level. Without
such a link, it is difficult to relate the risks identified to a specific business area
and therefore difficult to identify and provide clear business benefit.
Risk drivers, themes and categories

A risk driver is a single item comprising a collection of closely linked risk
causes or triggers, which share an underlying similarity, such as a macro-
economic downturn. A risk theme is a set of similar risks, such as fraud. In their
first attempts at a risk and control assessment, firms often try to undertake the
72
M04_BLUN7323_01_SE_C04.indd 72 29/06/2010 09:52

exercise at this high level, by using combinations of risk drivers and themes (see
Assessing risk later in this chapter). This is possible, but has little benefit either
to the business or to identifying a firm’s risk profile. You need to get down to
a granularity which yields business and operational risk benefit, but is not so
unwieldy as to provide overwhelming and ultimately meaningless detail.
A risk category is a set of similar risk events, for which there is benefit in
treating them as a group (see Table 1.1). This is obviously an advantage, but it
is important that they are identified after the risk and control assessment and
are not identified beforehand. The risk and control assessment will have been
linked to the business objectives, so that any linked risks will naturally emerge
from the risk and control exercise and be aligned to the objectives.
Link to products, geographic regions

Similar, or the same, risk event and control pairs often exist between related
products (dollar bonds and sterling bonds) or comparable geographic regions
(UK and US). Conversely, some products (such as OTC derivatives) and
regions (such as Southern Africa) will be more likely to have unique risk and
control pairs. A thorough understanding of the firm’s business is therefore
essential when undertaking risk and control assessments to ensure that links
are included.
Frequency of identification
Identifying risks (and their accompanying mitigating controls) should be a
part of the firm’s day-to-day business life and processes. Risk identification is
a normal and natural part of being in business and should not be regarded as
something which is done only once every six months or whenever a full risk
assessment is performed.
Immutable
As noted above (in Risk events), a risk event is an unchanging and distinct
occurrence. Although the causes of an event may change (a building burning
down may be caused by different factors), the risk event itself does not change.
This enables a consistent analysis to be taken of the gross risk to the business.
It also enables the required controls to be viewed consistently for the same risk
across a firm, as the firm may develop an ideal set of controls for the risk event.
Comparability of the effectiveness of the controls for the same risk across a
global organisation is then possible.
73
M04_BLUN7323_01_SE_C04.indd 73 29/06/2010 09:52

Triggers, consequences and control failures

As we have seen (see Cause/trigger and Effect/consequence above), a risk event is
precipitated by triggers and itself precipitates an effect or effects. It is impor-
tant to differentiate between these three connected occurrences so that it is the
event which is mitigated and controlled.
If a cause or trigger is wrongly identified as an event, the focus of the
assessment will probably be on control failures, rather than on the risk events
themselves. Identifying a control failure as a risk event often leads to a new
control being put in place to mitigate the apparent control failure, rather than
the much more desirable effect of eliminating the failure through remedial
action to the control which failed.
If a consequence is wrongly identified as a risk event, the focus of the miti-
gating effort will again not be the event itself, but rather one of the effects
of the event. As consequences change over time, because the external en-
vironment changes or because of the effects of the controls themselves, the
mitigating controls will become less efficient at reducing the effects of the risk
event, through no fault of the controls themselves.
Reputational damage
Reputational damage is generally a consequence of a risk event. As such, there
are strong arguments for not identifying it as a risk in its own right. However,
many firms view this risk as their most serious and would not give credibility
to a risk and control assessment which did not identify reputational damage as
a risk. It is therefore important to ensure that double counting does not take
place when using a risk and control assessment for quantification of operational
risk (see Chapter 8, Modelling).
There are a number of examples of reputation damage in Chapter 15,
Reputation risk. In the Perrier example, although the cost of withdrawing
millions of bottles was very high, the reputation damage to Perrier was even
higher. However, the reputational damage was a direct consequence of the risk
event of contamination of the water.
Levels and components

Risks can be identified at different levels, for example business objectives, pro-
cesses and activities, as shown above. Firms will often struggle with how they
will know which risks belong to which level. This question generally stems
from a lack of consideration of the subject of the risk control assessment. If
risks are being identified at a strategic level, it will be clearly inappropriate to
identify risks at the detailed activity level. Conversely, strategic risks are too
high level for an activity analysis.
74
M04_BLUN7323_01_SE_C04.indd 74 29/06/2010 09:52

If risks are being identified at the process, business unit or departmen-

tal level it is sometimes difficult to know when to stop. The best answer is
to make clear reference to the particular process, business unit objective or
departmental goal which is being considered. If that seems too difficult, it is
often helpful to consider the components of the risk under analysis, i.e. the
risks at the next level down. This allows the firm to articulate the detailed
risks, whilst continuing to focus on the level under consideration. This will
also help a future, more detailed, risk assessment.
Examples
Practical examples of levels and their components
Strategic example: Internal fraud

Cause: Invalid claims paid
Risk event: Internal fraud
Control: Segregation of duties between claims and finance; escalating claims
authorisation limits; quality assurance checks and system controls
Impact:
OO Direct: value of frauds (possible sum of multiple loss events)
OO Indirect: improvements to IT security; cost of review of internal controls
Process example: incorrect client take-on

Cause: Poor design of client take-on form
Risk event: Incorrect client take-on
Control: Automatic postcode check; independent review of input data; written
confirmation of details from client
Impact:
OO Direct: incorrect booking of client trade
OO Indirect: ex-gratia payment to client to compensate for losses; redesign
of form
Activity example: suspense account balance write-off
Cause: Lack of clarity of ownership of reconciliation process
Risk event: Suspense account balance write-off
Control: Procedures for regular reconciliation and reporting on reconciliation
accounts; follow-up actions on reconciling items
Impact:
OO Direct: loss of un-reconciled balance
OO Indirect: management time attempting to reconcile accounts; re-
engineering the process; opportunity cost through unexpected use of

significant capital
75
M04_BLUN7323_01_SE_C04.indd 75 29/06/2010 09:52

Assessing risks
Gross/net/target
Risks can be assessed at several levels of mitigation. Gross (or inherent) risk is
assessed with no account taken of the controls which exist within a firm. The
only controls which are assumed at the gross level are inherent controls such
as people’s honesty and society’s willingness to obey the law. The advantage of
assessing risk at a gross level is that there are no assumptions about the qual-
ity or existence (or otherwise) of controls. It also identifies the level of loss to
which the firm is exposed if and when the existing controls fail.
Net (or residual) risk is assessed after allowing for the existing controls
within the firm. This means that there are assumptions about the adequacy
and continuing effectiveness of the controls. These assumptions are rarely
stated in net risk assessments. If they are stated, they become close to control
assessments. The object of this part of the exercise is to assess risks, not con-
trols. The level of loss arising from a net risk assessment is the day-to-day loss
which the firm suffers with the existing level of control.
Target risk is the name often given to the final level of expected risk appe-
tite which exists within a firm after all mitigating effects are at the firm’s
desired level. It is used to assess the impact (and sometimes the effectiveness)
of control enhancement plans.
If risks are assessed at a gross level, a control assessment can easily be linked
to the risk assessment. If risk is assessed net, the control assessment is already
implicit in the net risk assessment and the result will require reconciling back
to the explicit control assessment.
Frequency of assessment
How often risk and control assessments are carried out is dependent on each
firm’s circumstances. Many firms carry out quarterly risk and control assess-
ments, focusing on the risks and controls which have changed during the
quarter. These firms will often carry out an annual risk and control assessment
going back to the business objective or procedure which formed the basis for
the original assessment. Other firms carry out half-yearly assessments at a more
detailed level.
The best guide is to consider how frequently individual risks are likely to
change. That probably means that it is unlikely that a full risk and control
assessment will be performed on a monthly basis unless the risks are likely
to change that frequently. At the extreme, an assessment may be carried out
several times a day in a department responsible, say, for receiving retail firms’
monies and sending out contract notes or policies.
76
M04_BLUN7323_01_SE_C04.indd 76 29/06/2010 09:52

Likelihood/frequency/impact/severity
Once risks are identified, they are evaluated for likelihood (or frequency)
and impact (sometimes called severity). Likelihood is reviewed on the basis
of how frequently a risk event will occur over a given period (e.g. monthly,
three times a year, once in 50 years). Alternatively, many firms find it helpful
to think of the percentage likelihood of a risk occurring in one year. A more
detailed discussion on alternative likelihood terms and their possible weak-
nesses is given in connection with Table 9.1.
Impact is reviewed on the basis of the (possible) cost to the firm if the risk
event happens. Whilst the term severity is also used by some firms as being syn-
onymous with impact, the word may also be used as a single value for a risk
assessment, being a combination of likelihood and impact. This was more
common before separate likelihood and impact assessments became widely used.
Expected/unexpected
Risks can also be assessed using the terms expected or unexpected. This refers
both to the expected or unexpected likelihood and to the expected or unex-
pected impact. In practice, both levels give value to a firm. The expected level
will give a check on the usual effectiveness of the controls and therefore acts
as a check on the provisions or reserves which are made on a regular basis by a
firm. It is similar to the net risk level.
The unexpected level gives information about the amount of capital
required to withstand a financial shock to the firm from a risk event occurring.
This is similar to the gross risk level. The unexpected level is therefore used for
assessing economic and regulatory capital requirements.
Qualitative compared with quantitative

Risks can be assessed on a qualitative or quantitative basis. A qualitative
assessment will have a range of values which do not comprise figures, for ex-
ample high, medium-high, medium-low and low. A quantitative assessment
will, in contrast, have only figures, although ranges may be used, for ex-
ample £10m or £10–50m for impact and 10% or 10–25% for likelihood.
Some organisations are more comfortable with figures, although it is more
common for a firm which is starting its risk assessment process to use a quali-
tative basis first (high/medium/low or red/amber/green, with no numeric
definitions) and then move to a quantitative basis as it gains confidence and
gathers objective information about its risks.
77
M04_BLUN7323_01_SE_C04.indd 77 29/06/2010 09:52

Periods for likelihood

The period used for likelihood assessment should be aligned to the level of
risk being assessed. For example, an annual period (i.e. the interval in years
between the risk happening) is probably inappropriate for an activity risk
assessment. Conversely, the use of a monthly frequency would give possibly
misleadingly large figures for a strategic assessment based on a five-year plan.
Direct loss or indirect loss for impact

Direct loss for impact is often easier to assess as it is linked to the charge to
the profit and loss account. Even when there are no historical figures available,
it can often be calculated easily. Indirect loss is much more difficult to assess
and inevitably more subjective, as it is based on the total cost to the firm of
a risk event occurring. Such items as opportunity loss, for example the loss of
additional sales or the cost of redirecting staff to resolve an operational risk
problem, are considered in evaluating indirect loss. This means that the indi-
rect can often be a larger figure than the direct loss. Firms should be aware of
the two levels of loss (direct and indirect) and combine the two to assess the
true impact of risk events.
Impact assessed on profit and loss, plan period or shareholder value

A decision is also needed as to which period for the loss it is taking into
account. Although multiple years can be considered in an assessment which
uses the profit and loss account as a basis for impact, usually only the impact
on the first year is evaluated.
Consideration of multiple years often occurs when a firm is using business
objectives to be attained over a multi-year plan period as its risk reference.
This can give rise to the concept of the net present value of the risk event,
although this should only be considered if the firm is comfortable with the
concept and already uses it in day-to-day business management.
The largest and most difficult value to assess is the impact on shareholder
value, as this is a multi-year indirect loss figure. However, where a firm already
uses shareholder value as a concept, its use should be seriously considered, as
this is the true impact of a risk event on the owners of the firm.
Impact components
If the firm considers only direct losses, it significantly limits the business ben-
efits of risk and control assessment. By breaking down the impact into separate
components, such as financial, people, customer and other stakeholders, it can
be easier and more beneficial to assess indirect as well as direct losses.
78
M04_BLUN7323_01_SE_C04.indd 78 29/06/2010 09:52

Loss causal analysis (see Chapter 5, Events and losses) typically analyses
the components of the loss and can be used to ensure that the risk and control
assessment is consistent with the loss analysis and so delivers business value.
Three/four/five or more scores

Whilst many organisations start their assessment process with three or four
levels of scores for likelihood and impact, some use up to 10 levels. Unless the
firm is skilled in such scoring, it is more than likely that a lot of time will be
used discussing whether a risk event is a six score or a seven score. There is
usually not a material difference between any two adjacent scores when a large
number is used and therefore little business benefit in a long discussion on the
matter. In any case, the scores are subjective and therefore only give an indi-
cation of relativities, not of absolutes.
One interesting question is whether to use an odd or an even number of
scores. An even number will force a decision either side of a median value,
whereas an odd number will allow a mean value, i.e. four levels might be
low, medium low, medium high and high which does not allow a mean score.
Some organisations see an even number of possible scores as a benefit as it is
often too easy to place a likelihood or an impact in the middle score. Others
find it easier to differentiate between low and high if there is only medium
in the middle. It can be argued that it is more correct to use odd numbers if
the item being scored has a normal distribution as the mean of the distribu-
tion is clearly presented, although of course the mean can be inferred when an
even number of scores is used. Although there are merits for both odd and even
numbers of grades, the foibles of human nature point to an even number of
grades as being best.
Use of periods compared with percentages

Technically, there is no difference between using time periods and using per-
centages for the likelihood of a risk occurring or a control failing. Initially, most
people find it simpler to relate to time periods for likelihood (twice during the
working week, once every three working months) than to percentages (40%,
1.67% respectively). It is often easier for a firm to articulate its likelihoods as
time periods and for the operational risk manager to convert them to the per-
centages, which will be necessary for modelling the risk and its controls.
Ranges and single figures

Many organisations find it difficult to assess the risk likelihood and impact (and
the control design and performance) as a single figure. The problem stems from
the character of operational risk, which is naturally imprecise and variable. It is
79
M04_BLUN7323_01_SE_C04.indd 79 29/06/2010 09:52

therefore problematic to attribute a single value to a dimension of operational

risk assessment. A common way around this is to consider a range of values
(£5m–£15m, rather than £10m). Single figure assessment can then be intro-
duced after the firm has gained experience of the assessment process.
One pair (impact/likelihood), two pairs (average and worst case)

or three
Whilst most organisations start their risk and control assessments with assess-
ing one pair of scores for a risk (such as impact/likelihood), some choose two
pairs (adding average and worst case for each of impact and likelihood). A third
level can be added, by taking the assessment of impact and likelihood to an
‘extreme worst case’. In mathematical terms, average represents a 50% confi-
dence level, ‘business as usual worst case’ takes the assessment to a 95% or 1 in
20 confidence level, whilst the third level reaches up to 99.5% or even 99.9%
confidence (1 in 200 or 1 in 1000).
Two pairs help the firm to think about the expected and unexpected parts
of a risk’s distribution without making the mathematical part explicit. Three
pairs enable a firm to begin to specify the distribution which comprises the
risk. A very occasionally used alternative is to specify a mean and a standard
deviation, although this requires an understanding of mathematics which is
generally beyond most managers.
Use of losses to back-test impacts and likelihood

Losses provide a real life view to guide and challenge the subjective assessments
which are made when considering the likelihood and impacts of risks. However,
it is important to ensure that the causal analysis of the losses correctly identi-
fies the risks to which the losses relate. The mapping of the risks underlying the
losses to the risks which have been identified during the risk and control assess-
ment is difficult but worthwhile as it enables a methodology to be established
which tests the assessors’ judgement against actual losses experienced by the firm.
This ‘back-testing’ technique should take account of any changes to the
firm. An example might be an increase or decrease in staff numbers, which
might affect the relevance of both the frequency and severity of losses to the
firm as it currently exists. So when using losses, make sure that the risk profile
when the losses occurred is the same as the risk profile at the time of the assess-
ment. If not, adjustments will have to be made.
Heat maps
Heat maps give readily accessible and visual representation of the risk profile
of a firm. They are often the first risk report seen by the board and, as such,
must be positioned as the start of risk reporting and not the final risk report.
80
M04_BLUN7323_01_SE_C04.indd 80 29/06/2010 09:52

They are helpful in allowing management to focus on the most significant

risks to the firm, in the absence of any further data.
Heat maps often start as net or residual risk heat maps (see Figure 4.4) and
then expand to cover both gross and net risk as the firm develops its expertise
in risk assessment, as shown in Figure 4.5 later. Illustrating, by means of a heat
map, the reduction to a risk due to the mitigating effect of the controls is help-
ful in visualising which controls are fundamental to reducing the risk profile.
Heat map of residual risk assessment Figure 4.4
Residual Assessments
9 (3%)
Catastrophic
6 (2%)
Critical
4 (1%) 2 (0%)
Significant
Impact
60 (25%)
Important
154 (64%) 1 (0%) 1 (0%)

Minor
Extremely Remote Remote Probable Likely

Likelihood
Owners
Different levels
There can only be one ultimate owner of a risk and that person must be at
board level. However, the board director responsible for the risk may dele-
gate the management of the risk to another person who in turn may delegate
81
M04_BLUN7323_01_SE_C04.indd 81 29/06/2010 09:52

further. This can lead to confusion over who owns the risk. It is likely that
those to whom the risk is delegated only own a part of the risk for which the
board member is ultimately responsible. However, the risk and control assess-
ment process will decompose the risk down to each level – strategic, process,
activity. As a result, the person responsible for a particular process or activity
which contributes to the strategic goal of the firm for which the board member
is responsible will be clearly seen as the person who owns the risks inherent in
the process or activity.
It is often also the case that the CEO is nominated as the owner of most
of the risks when a board first considers its strategic risk profile. This must
be challenged. Board members should take responsibility for their own risks,
for example the sales and marketing director must take responsibility for risks
relating to sales and marketing, such as mis-selling.
Risk owners
Risk owners may exist at several levels, although there is only one ultimate
risk owner. The owner of the risk is responsible for measuring, monitoring
and mitigating the risk, at the relevant level, within the risk appetite set by
the board. The actual tasks of measuring, monitoring and mitigation are gen-
erally given to another member of staff. This does not reduce or remove the
risk owner’s responsibility for managing the risk, which is carried out through
receiving and actioning reports from the staff to whom the tasks have been
delegated.
Control owners
These are the people responsible for managing the mitigation of the risk
through the operation of internal controls. Control owners are vital both in
designing appropriate controls to mitigate the risk and in ensuring adequate
performance of the control in line with the board’s risk appetite. They are
responsible for identifying any action plans necessary to increase the effective-
ness of the control and are also responsible for implementing the action plans.
Liaison between risk owners and control owners

It is essential that there is good communication between the risk owner and
the control owner. In an initial risk and control assessment it is often the case
that the risk owner scores the control as less adequate than the control owner.
This can be due to the risk owner not fully understanding the control, or to
the control owner being too optimistic about the control’s effectiveness due
to a misunderstanding of the risk’s likelihood and full impact. Both of these
are probably due to a lack of communication between the risk owner and the
82
M04_BLUN7323_01_SE_C04.indd 82 29/06/2010 09:52

control owner. With good communication it is possible to design and perform

controls to a level which matches the firm’s risk appetite, i.e. at the most ef-
ficient level for the firm. If necessary, the head of operational risk will
challenge and resolve the different scores.
Identifying controls
Suitable level
Just as identifying a suitable level of risk can be a challenge, so too can iden-
tifying the appropriate level of control. However, as controls are typically
identified after risks, it is often easier to set control identification to the appro-
priate level. If the risk identification has been set, for example, at a business
objectives level, the controls which are identified should be at the same level.
It is very easy to identify controls at a departmental or activity level and
relate these to the business objectives of a firm. However, this should be
avoided as there will be a mismatch between the level of the risks and the level
of the controls. Additionally, it is important to identify and then score the
strategic controls which are in place to mitigate the risks to the business objec-
tives. If this is not undertaken a firm can be lulled into a false sense of security,
believing that its business risks are well controlled by a considerable number of
activity or departmental controls.
Independent controls
When identifying controls, we are seeking to identify the independent con-
trols which mitigate a risk. Although there is some point in identifying
linked controls, far more business benefit will be achieved through identify-
ing and scoring controls which are independent of each other. Controls which
are linked to each other, perhaps in a sequence, are only as good as the pre-
ceding control. This means that if the first control in the sequence fails, none
of the other controls gives any benefit in mitigating the relevant risk(s). It is
therefore vital that controls are checked to ensure that they are independent,
otherwise they become another source of false security.
An example of three typical independent controls are those which might
be considered to mitigate the risk of ‘Failure to attract, recruit and retain key
staff ’, as shown in Figure 4.6 later: ‘Salary surveys’, ‘Training and mentoring
schemes’ and ‘Retention packages for key staff ’. Linked controls within this
example may be ‘Salary increases’ and ‘Title changes’, both of which are linked
with ‘Salary surveys’.
83
M04_BLUN7323_01_SE_C04.indd 83 29/06/2010 09:52

Mitigating more than one risk

It is often said that a single control mitigates more than one risk. In principle
this may well be true. In practice it is unlikely that the application of the con-
trol is exactly the same. Often the control is the same, but applied differently
by different departments. For example, a staff appraisal is a very common con-
trol which mitigates the risk of ‘Failure to attract, recruit or retain key staff’.
However, the control is likely to be applied differently in different depart-
ments and the effectiveness of the control will vary considerably around the
firm. The head of operational risk should therefore challenge, whenever it is
suggested that a control mitigates more than one risk, in order to avoid two
similar controls being mistaken for the same control. The risk and control
assessment shown in Figure 4.6 provides examples of similar but different con-
trols, such as staff training as a control to improve competencies, and training
and mentoring as a control to mitigate key staff turnover. It is important to
define not just the control but its purpose.
Controls are only one form of mitigation

Controls are the most common continuing method of mitigating risks. They are
completely within the management’s sphere of influence and in a firm practising
good operational risk management they will be increased or decreased to reflect
the sensitivity of the firm to a particular risk. In practice this rarely happens, in
part because of inertia. Firms should be alive to change and accept it as part of
everyday life, all part of a culture of continuous improvement.
Another method of mitigation for the firm is to transfer the risk to another
party entirely, for example through insurance (see Chapter 11, Insurance). This
enables a clear cost to be attached to the mitigation through the premium
charged by the insurance company. It also explicitly limits the exposure of the
firm to the excess, or deductible, applied to the insurance policy. However,
there may also be a limit to the loss which the insurance company is willing to
suffer and the firm will be once again be exposed above this limit.
Another method of mitigation is to remove the risk altogether from the
firm, for example by ceasing business in the particular product to which the
risk is attached. This is, of course, an extreme move to take but may be justifi-
able in the circumstances. For example, it was reported that Goldman Sachs
withdrew from some markets before its peers during the 2007–9 financial
crisis and by doing so considerably reduced its losses.
Types of controls
Controls can be divided into four types: directive, preventative, detective and
corrective.
84
M04_BLUN7323_01_SE_C04.indd 84 29/06/2010 09:52

OO Directive controls provide a degree of direction for the firm and are typi-
cally policies, procedures or manuals.
OO Preventative controls act to prevent the risk or event from happen-
ing. They are often automated controls, such as guards round a piece of
machinery or system checks to prevent limits being exceeded.
OO Detective controls act after the risk or event has happened and identify
and mitigate the risk which has occurred. Typical detective controls
might be the sensors providing warnings of the safety around a piece
of machinery being compromised, or reconciliations and monitoring of
accounting entries.
OO Corrective controls again act after the risk event has happened and miti-
gate the effects of the event through remedial action. Typical corrective
controls are following-up on outstanding reconciliation items or other
risk reports and taking action following risk monitoring.
It is helpful to differentiate the controls identified into their various types (see
also Chapter 6, Indicators, for a further use of these four types of controls).
This enables the firm to assess whether it has a balance of the different types
of controls or whether it has a number of, for example, detective and corrective
controls but lacks directive and preventative controls. With this imbalance, a
firm will be unlikely to prevent a risk from occurring, but may be well-placed
to minimise the impact of a risk when it does occur. An example of such a risk
would be an external event beyond the firm’s management influence, such as
flooding or a terrorist attack.
Effects of preventative and detective controls on risk likelihood

and impact
Analysing preventative and directive controls is particularly important in risk
and control assessments as they tend to reduce the likelihood of a risk occur-
ring, whereas detective and corrective controls tend to reduce the impact that
the firm suffers. Most risk managers aim to have a balance, where possible, of
controls which mitigate a risk before the event and its effects after the event.
As illustrated in the paragraph above, this is not always possible.
When a variety of types of controls have been identified, their effects can be
assessed on the gross likelihood and gross impact scores. This provides valid-
ation and confirmation of net likelihood and net impact scores if the firm has
undertaken a net risk assessment. Additionally, the effects can be graphically
illustrated on a heat map (see Figure 4.5), a visual representation which rapidly
assists management perception and action.
85
M04_BLUN7323_01_SE_C04.indd 85 29/06/2010 09:52

Figure 4.5 Heat map showing effects of types of control on a risk
Prevent
controls Gross/inherent
High
risk
Med-high
controls
Detect
Impact
Med-low
Net/residual
risk
Low
10% likely 30% likely Very likely Severe

Likelihood
Design and performance

Controls should be assessed on their inherent ability to mitigate risk, their
design, and on their actual performance. There are a number of advantages to
this method of assessment over the previous methodology of assessing only the
effectiveness of a control:
OO It enables a control assessment to differentiate between the theoreti-
cal and the actual effectiveness of the control. Whilst a control may be
theoretically effective, such as a reconciliation performed to mitigate the
mis-statement of an account balance, it may not be very effective in real-
ity. It may only be performed monthly, rather than the intended period
of weekly, or reconciling items may not be followed up diligently.
OO The design of a control is often a reflection of the systems or processes
underpinning that control, whereas the performance of a control is often
about the people operating the control. Assessing both design and per-
formance enables action plans to be drawn up which enable a control to
be better focused. A control which has a poor design is likely to require
improvements to the systems or processes relating to that control. A con-
trol with poor performance is more likely to require a focus on training,
additional people to operate the control, or a different level of skill.
86
M04_BLUN7323_01_SE_C04.indd 86 29/06/2010 09:52

OO The use of two directions to assess a control mirrors the two dimensions
(likelihood and impact) used to assess a risk. This facilitates a com-
parison of the strength of the controls compared with the risk that the
controls are mitigating.
Three/four/five or more scores

Just as with risks, some thought must be given to the number of scores for
design and performance. Most organisations use the same number of levels for
control scoring as they use for risk scoring; if a firm is using four levels for
likelihood and four levels for impact, it is likely to use four levels for each of
design and performance. This enables easy comparison between a composite
risk score of likelihood times impact, and a composite control score of design
times performance. Otherwise normalisation of either the risk score or the con-
trol score will be required.
The same consideration must be given to using an odd or an even number of
control scores as was given for scoring risks. It is even easier to place a control
score in the middle of a range. It is however unusual for a firm to have more
than four or five levels for control scoring unless a considerable amount of loss
causal analysis is undertaken by the firm.
Use of losses
Loss causal analysis is extremely useful in providing objective knowledge of the
probable failure of controls, particularly due to poor performance. Even with-
out comprehensive data it is still possible to use losses as a guide to the likely
scoring of a control. For example, a control is unlikely to be scored as having a
good performance if a number of losses have occurred recently due to its fail-
ure. Conversely, no losses occurring in recent times may be an indication of
good performance – or simply of good luck.
Use of periods compared with percentages

As with risks, the same consideration should be given to the use of periods
compared with percentages. Most people find it much simpler to relate to time
periods for the likely failure of controls, for example once a week, twice a month
or once every three months. It is often easier for control owners to assess the
design and performance of controls using time periods and for the risk manager
to convert them to percentages, as required, for monitoring and modelling.
87
M04_BLUN7323_01_SE_C04.indd 87 29/06/2010 09:52

Ranges compared with single figures

Although many firms find difficulty in assessing the risk likelihood and
impact as a single figure, it appears to be easier for control owners to relate to
single figures or periods than ranges of control failure. This may be partially
due to the fact that controls tend to be better understood by control owners
as they often operate, or at least review, controls on a relatively frequent basis.
The use of a range for the failure of a control may therefore be less helpful than
a range for the likelihood or impact of a risk.
Importance and compliance

As well as design and performance being used as an assessment pair for controls,
some firms use the importance of the control and how compliant the firm is to
the control. The importance is assessed in relation to the mitigation of the risk
and the compliance is assessed by not only how well the control is performed,
but also taking into account findings of internal audit and compliance. This is a
more complex form of assessment and is used by only a minority of firms.
What a risk and control assessment looks like

The results of a risk and control assessment will typically look like the example
given in Figure 4.6. This contains numeric assessments of risks and controls
and identifies the specific controls and both the risk and control owners.
Colours or shading help to identify quickly and easily where the greatest risks
lie and where to prioritise risk and control monitoring.
Action plans
Explicit acceptance of risks or need for action plans

When the gross risk has been assessed and the current quality of control(s) for
each risk has been scored it is possible to review whether the net risk remain-
ing is acceptable to the firm, or whether there is a need for an action plan to
either enhance the control(s) or reduce the risk exposure in some other way.
Action plan details

Each action plan should be linked to a risk and to the relevant control, where
appropriate. One possible action is, of course, to implement a new control
(rather than enhance an existing control) and therefore it will only be possible
to link this to a risk. An owner should be identified for the action plan and this
88
M04_BLUN7323_01_SE_C04.indd 88 29/06/2010 09:52

Typical risk and control assessment Figure 4.6
Owner(s) of
the control
of the risk
Owner(s)
ID Risks I L S Controls D P E
1 Failure to attract, recruit and retain key SR 4 4 16 Salary surveys TJ 2 2 4

staff
Training and mentoring schemes TB 3 2 6
Retention packages for key staff TJ 4 4 16
2 Financial advisers misinterpret/fail to PL AB 4 4 16 Staff training TB 4 4 16
understand the complexity of ‘equity
Learning gained from previous deals KW & EL 4 4 16
release’ products
Review of individual needs in performance appraisal
3 2 6
process TB
Procedure manuals for processes EL 4 4 16
3 Poor staff communication SR JK 4 4 16 Defined communication channels ZK 4 3 12
Documented procedures and processes EL 3 2 6
4 Failure to understand the law and/or PL 4 3 12 Internal training courses EL 4 4 16
regulations
Regular updates from various sources EL 4 1 4
External training courses TB & EL 4 3 12
5 Poor detection of money laundering PL 4 3 12 AML annual training TB & EL 3 2 6
Circulation of BBA awareness circulars EL & ZK 3 1 3
KYC ALL 4 3 12
6 Insufficient funds/deposits to cater for CK 4 3 12 Liquidity risk policy ZK 4 4 16
lending activities
Advertising KW 4 3 12
Economic forecasting CK 3 3 9
7 Over-selling credit cards CK 4 3 12 Staff training TB 3 3 9
Credit scoring EL 4 4 16
Forward business planning ZK 3 3 9
8 Over-deployment of management RU CK 3 4 12 Monthly budget against actual review TJ 3 4 12
resources on regulatory issues
Corporate governance CK 4 4 16
Monthly head of compliance & CEO meetings CK 2 2 4
9 Failure to capture market opportunities AB 3 3 9 Competitor monitoring TB 3 4 12
Product development TB 2 2 4
10 Over-dependency on outsourcing CK 3 3 9 SLAs CK & EL 4 4 16
Outsourcing monitoring CK & EL 4 4 16
Due diligence CK 4 3 12
Policy CK 3 4 12
11 Weakness in information security RU JK 4 2 8 Record retention ZK 2 2 4
system
Information security policy procedure and monitoring ZK 3 2 6
Staff training and certification TB 3 3 9
Client agreements/marketing ZK & KW 2 1 2
12 Inadequate or insufficient IT JK 2 4 8 Business/strategic planning ZA & KW 3 4 12
infrastructure to achieve business
objectives IT systems performance and capability monitoring ZK 4 3 12
13 External fraud activities PL 3 2 6 Anti-fraud training ZK 4 4 16
Systems security ZK 4 4 16
14 Failure to grow staff competencies SR 3 2 6 Staff training TB 4 3 12
Hire of temporary staff TB 2 2 4
Appraisals TB 2 3 6
15 Misaligned employee goals SR CK 2 3 6 Appraisals TB 2 3 6
Corporate governance ZA 4 4 16
16 Failure to sense and eliminate internal PL 3 2 6 Criminal background check EL 3 2 6
fraud
Segregation of duties ZA 2 3 6
Staff training TB 3 2 6
Fraud monitoring EL 4 4 16
Whistle blowing ALL 3 3 9
17 Unfit or inappropriate new products AB 4 1 4 Staff training TB 3 2 6
launched
New products approval process KW 3 2 6
18 Poor strategic decision making CK AB 4 1 4 Monitoring of market data KW 4 4 16
Research and forecasting KW 4 2 8
Monthly Management Forum ZA 4 3 12
Marketing strategy review ZA & KW 3 3 9
19 Inaccessible premises RU 3 1 3 BCP/M EL 4 3 12
Security of floors (to enable loss to be better managed) ZA 3 4 12
Building and firm guards ZA 4 4 16
Key: I = impact; L = likelihood; D = design; P = performance
89
M04_BLUN7323_01_SE_C04.indd 89 29/06/2010 09:52

will typically be the risk owner if the action plan is for a new control or the con-
trol owner if the action plan is to enhance an existing control. The owner should
be notified in writing that an action plan has been raised against their name. A
target date should be agreed with the owner and noted in the action plan. Any
delay to the date should also be noted with the reason for the delay.
If the action is significant, and will take a considerable time to complete,
then a cost–benefit analysis may be appropriate. Part of this analysis may be
a consideration of the firm’s risk appetite in comparison to the new resultant
net risk and may involve mathematical modelling of the existing and proposed
risk profiles.
How to go about a risk and control assessment
Third party review, facilitated sessions, self-assessment

Facilitated sessions for risk assessment are the most common way to begin
assessing a firm’s risks and controls. Self-assessment by a firm is a common
aim. A typical self-assessment will be facilitated by the risk department, with
staff from the business line or department being assessed providing a detailed
functional knowledge. This will enable a common and consistent approach to
self-assessment across the firm whilst utilising the detailed skills and knowl-
edge relating to particular risk areas.
However, there is a lot of merit in assessment sessions being facilitated by
a third party, such as a consultant, and by the head of operational risk or the
head of risk of the firm. This enables the best of both worlds to be obtained by
using someone with outside knowledge of risk methodologies combined with
someone with internal knowledge of the firm.
An independent review of risks and controls by a third party provides
relatively little business benefit. An outside third party may bring a wider
knowledge of risks and controls, but the firm itself should be in the best pos-
ition to understand its own risks and controls. However, a third party with a
wider knowledge can provide benchmarking against similar firms, which can
be invaluable in helping the firm to improve its controls and so reduce its risk
profile cost-effectively.
Workshops, interviews, questionnaires

Whichever one of the above approaches is used, the methodology can be
applied through workshops, interviews or questionnaires. Each of these has dif-
ferent advantages:
OO Workshops enable the sharing and discussion of risks relating to an area.
The team involved in the workshop is able to spend time agreeing on
90
M04_BLUN7323_01_SE_C04.indd 90 29/06/2010 09:52

the risks and debating the impact and likelihood of each risk. This will
often be the first time that the team, as a whole, has considered the risks
and controls to the area. The workshop can be used as an effective team
building mechanism enabling all attendees to function more coherently
in the future due to a shared assessment of the risks and controls. The
two major disadvantages of a workshop are the required coordination
of diaries to allow all members of the team to attend and the combined
time required from the team. Workshops also need to be ably facilitated
to make sure that participants have an equal voice and are not dominated
by the behaviour or seniority of one of their members.
OO Interviews are far more efficient in the use of time required initially
as each person is usually able to identify and assess the relevant risks
quickly. However, a second round of interviews is often required in order
to share the combined risk assessment with each participant. This can
quickly degenerate into a considerable number of rounds of interviews
unless the process is well managed. There is also relatively little team
building when interviews are used.
OO Questionnaires can be particularly useful when the team relating to the
area to be assessed is widespread. For example, if an international busi-
ness is being assessed, it may require team members to travel from many
different locations if the assessment is by workshop. However, question-
naire responses are difficult to collate if a questionnaire is an open one.
Conversely, the responses can be too narrow and insufficiently illuminat-
ing for senior management if the questions are too closed.
One important thing to remember about all of these is their susceptibility
to various forms of bias, either in the questions being asked, the experi-
ence of the participants, the relevant seniorities of participants or simply
the way in which they are conducted. Similar issues arise with scenarios and
the topic of behavioural bias is covered in more detail in Chapter 9, Stress
tests and scenarios.
Follow-up
A risk and control assessment workshop, interview or questionnaire invariably
requires follow-up work. This will typically be in relation to further control
investigation and testing. Additionally, risk and control assessment partici-
pants need further time to consider the scores to be assigned to controls, and
sometimes to risks as well. Action plans are another common area requiring
follow-up after a risk and control assessment.
Validation of the identified risks and controls (and their scores) can also be
obtained by follow-up discussions with peer group members and with internal
audit (see also Use of losses to back-test impacts and likelihood above).
91
M04_BLUN7323_01_SE_C04.indd 91 29/06/2010 09:52

Control effectiveness
Once controls have been identified and scored, it is possible to assess their
effectiveness in mitigating the risk. Control scores can be directly compared
with risk scores although many organisations use pictorial representations such
as heat maps (see Figure 4.4) and spidergrams (see Figure 3.10).
Using risk and control assessments in the business
Link to risk appetite

As we discussed fully in the risk appetite section of Chapter 3, Governance,
when illustrated graphically either in a coloured table or spidergram, this is an
excellent way of assessing risks and controls against the risk appetite set by a
firm’s management for those risks.
Link to provisions/budgets
The expected level of risk impact, i.e. the net or residual level after controls,
can be linked to management provisions and budgets as this is the ‘accepted’
level of loss from a risk and will therefore be taken into account when calcu-
lating internal management figures. This level of impact can be regarded as
the cost of doing business. Where there is little or no link between manage-
ment budgets for expected loss figures and the figure indicated as the residual
impact on a risk assessment, management should be challenged on the validity
of the budget or the residual impact or both.
Using risk and control assessments for quantification

Risk and control assessments can be used for quantification and modelling
purposes, as well as internal and external losses. A risk and control assessment
is a good indication of the internal control environment, which is one of the
four items required for advanced modelling of operational risk (see Chapter 8,
Modelling, for more details).
Additionally, risk and control assessments can be used to make clear the
effects of a scenario on the risk profile of a firm. A scenario will inevitably
change the mitigation effects of controls and may reveal further risks to a firm.
These can be reflected in the relevant risk and control assessments (see Chapter
9, Stress tests and scenarios, for more details).
92
M04_BLUN7323_01_SE_C04.indd 92 29/06/2010 09:52

Internal audit
The production of risk and control assessments is of great use to internal audit.
A risk assessment identifies areas where management feels much of the con-
trols are perfectly adequate and areas where management believe that the
controls require enhancement. Internal audit based on perceived adequate
controls can be extremely helpful. If it is confirmed that controls are indeed
adequate, remedial action can be focused elsewhere. However, if the internal
audit finds that controls are not operating as intended and as believed, the
need for remedial action is clear.
Why do risk and control assessments go wrong?

Risk and control assessments ‘go wrong’ for many reasons. The most common
ones are:
OO lack of management buy-in to the risk and control assessment process
because there is little perceived business benefit: this leads to strategic
risks not being identified and to the assessment process not being taken
seriously
OO paper overload resulting from too many questionnaires
OO lack of feedback from the risk department to the area being assessed
OO inflexible software leading to the assessment process being discredited
OO failure to link indicators and losses to the identified risks and controls
leading to a lack of coherence and consistency in the assessment
OO lack of action/follow-up to controls which are viewed as ineffective or to
risks which have too few controls.
Of these, the critical ones are: lack of buy-in, lack of feedback and lack of fol-
low-up or action. All are symptomatic of a lack of commitment to operational
risk management. If the right management structures are in place, a risk and
control assessment will be seen as the simple and valuable process which it is
and the problems quoted will either not exist or will be dealt with.
Summary
Risk and control assessments are probably the first step in establishing an
operational risk management process. The concepts of impact and likelihood
assessments are readily grasped and they can deliver quick business benefit to
the risk owners in the business as well as those in either an oversight or inde-
pendent assurance role.
93
M04_BLUN7323_01_SE_C04.indd 93 29/06/2010 09:52

To be truly effective, they should be linked to objectives at each level of

the business. They come with a number of health warnings as this chapter has
made clear. There needs to be clarity about the levels of both risks and controls
and especially clarity about whether the thing being assessed is a cause, event
or effect.
Risk and control assessments, though, are only one tool in the tool box of
the operational risk manager. They should be used in conjunction with loss
causal analysis (see Chapter 5, Events and losses), indicators (see Chapter 6) and
scenario analysis (see Chapter 9, Stress tests and scenarios), which we shall go
on to look at in the following chapters.
94
M04_BLUN7323_01_SE_C04.indd 94 29/06/2010 09:52

5
Events and losses
Introduction
What is meant by an event
Data attributes
Who reports the data?
Reporting threshold
Use of events
External loss databases
Using major events
Timeliness of data
Summary
95
M05_BLUN7323_01_SE_C05.indd 95 29/06/2010 09:52

Introduction
Events and losses are a fundamental part of operational risk management. They
are a clear and explicit signal that an operational risk has occurred. This may
be due to the failure of a control, the lack of a control or simply a very unusual
event that was not foreseen.
As shown in Figure 5.1, events are one of the three fundamental processes of
operational risk management. They provide valuable objective challenge to the
subjective nature of risk and control assessments. They are also often used as
indicators of risks and controls, as we shall see in Chapter 6, Indicators.
Figure 5.1 Typical operational risk framework, showing position of events
Governance
Reporting
What is meant by an event

Typically, the term ‘event’ is used to describe the occurrence of a risk –
whether or not an actual loss is suffered by the firm. Events can be categorised
as hard or soft and direct or indirect. Examples of these categories in the event
of the loss of an IT system are:
OO a direct hard event is the overtime money paid to the software and hard-
ware engineers to restore the system – this is the money which actually
flows out of the firm
OO an indirect hard event is the extra food and hotel bills paid to feed and
accommodate the software and hardware engineers whilst they will
restore the system – this is also money which has flowed out of the firm
96
M05_BLUN7323_01_SE_C05.indd 96 29/06/2010 09:52

5 · Events and losses
OO a direct soft event is the loss of sales that were unable to be concluded
– although this is difficult to quantify, it is a direct consequence of
the event
OO an indirect soft event is less growth achieved by the firm than it had
budgeted – this is also difficult to quantify, although it is still a conse-
quence of the event.
Near misses
Events can also be categorised into actual losses or near misses. An actual loss
is easy to describe in that it is a debit to the profit and loss account of the firm
or the reduction of the value of an asset held by the firm.
There are at least two different definitions of a near miss:
Near miss Definition

1. An event which would have occurred if the final preventative control
had not worked
2. An event has happened, but it did not result in an actual financial or
non-financial loss or harm due to either the correct operation of detec-
tive and/or corrective controls or simply the random nature of events.
Clearly, in the first definition, there is no actual loss because the risk has not
occurred. However, valuable information can be captured by identifying and
analysing even this sort of event, since one or more controls have failed in order
for a near miss to have occurred.
In the second definition, either a positive or a negative value is attached to
the event (a gain or a loss), or there is no financial impact at all, although there
may be some non-financial impact. Some firms which adopt the first definition
as a near miss characterise the second definition as an incident, to differentiate
it from an event which has a negative financial impact. Again, there is sig-
nificant operational risk management information: preventative controls have
failed (or they did not exist) and need to be analysed, whilst the detective and
corrective controls may have worked; or the firm may have been very fortunate.
As an example, a brick falls from the top of a building on a building site, but
nobody is hit or hurt.
Near misses are therefore invaluable for challenging risk and control
assessment scores. They are particularly helpful in assessing the performance
of controls. If there have been a number of near misses relating to a specific
preventative control, the current score of that control should be questioned,
especially if its performance is assessed as good or even very good.
97
M05_BLUN7323_01_SE_C05.indd 97 29/06/2010 09:52

Gains and offsets

Operational event profits and gains are just as valuable for challenging likeli-
hood and impact assessments as operational event losses. Of course, in many
areas (such as the trading floor) gains and losses should be equal in number.
A trader’s ‘fat finger’ is as likely to produce a gain as a loss. However, human
nature being what it is, this is rarely seen in reports and is a reflection of a bias
in reporting. Many profits are absorbed into the business line, whereas losses
are usually identified explicitly.
Inevitably, and throughout most of this chapter, events and losses tend to
be spoken of in the same breath. We are primarily concerned with negative
impacts, whether they are financial or reputational. In operational risk, how-
ever, events which produce gains are just as valuable a source of information
because they also represent control failures. Operational risk is not all about
adverse consequences. It demands a different risk mindset.
As well as gains being realised when an event happens, sometimes an event
will generate offsetting amounts to the actual loss. These may themselves be
hard or soft and direct or indirect. For example, if the loss of an IT system
prevents a trader from reducing a position which then results in an unexpected
profit, there is a financial offset. From an operational risk perspective, the
offset should be separated from the costs involved in the loss of the IT system
and both should be investigated.
Likewise, recoveries should be separately identified so that the gross loss is
known, as well as the net loss. A typical recovery is a claim on an insurance
policy. This may be viewed as the operation of a corrective control which trans-
fers the financial loss to a third party outside the firm. Alternatively, recoveries
may be obtained directly from a third party. An example of this will be the
back-valuing of a payment by a counterparty who has paid late.
Lost data
One of the great problems with operational risk is that it depends on the com-
prehensive reporting of events and losses, near misses and gains in order to
build up as accurate a picture as possible of the scale of operational risk in the
firm, or whether controls are effective. However, events and losses are rarely
reported fully. Actual losses are the best reported, although even these are fre-
quently incomplete. As noted above, near misses are less frequently reported
and gains are rarely reported at all. Considerable amounts of information are
therefore in danger of being lost.
One way some firms have successfully tackled the problem of lost data is by
making the operational risk function responsible for the insurances of the firm.
The head of operational risk (in conjunction with the CFO) then assures the
business line heads that any potential loss which is reported to operational risk
98
M05_BLUN7323_01_SE_C05.indd 98 29/06/2010 09:52

within 12 hours of first being identified will not be charged to the business line
profit and loss, even if it ultimately results in an actual loss. This approach:
OO encourages more complete reporting of events and losses
OO encourages earlier reporting of events and losses
OO encourages near miss reporting, as events are reported before they
become losses
OO does not disadvantage the firm, as losses simply move from one account
centre to another (business line to risk management)
OO results in the insurance buyers in the firm being more fully informed.
Data attributes
Given the valuable business uses to which events and losses – and gains – can
be put (see later, Use of events), the next step in the process is to decide what
information should be gathered about the events and losses. The information
collected will vary from firm to firm, but there is a minimum set of data attri-
butes which is collected:
OO name of the firm in which the event occurred
OO geographical location of the event
OO business activity
OO loss event type, down to a detailed level
OO the event start date, discovery date (and end date, if the event has finished)
OO description of the event
OO causes of the event
OO amount of loss and recovery components
OO management actions taken.
Name of firm
This may seem obvious, but in a group of companies more than one firm
may be involved. Often both the name of the organisation in which the event
occurred and the name of the organisation in which the event is detected are
recorded as both of these are important from a risk management and control
improvement perspective. Additionally, data may be held relating to the firm
which will suffer any loss, as this may be different from the firm in which the
event occurred and the firm which detected the event. This can happen, partic-
ularly in a group, where the firm in which a transaction is booked is different
from the firm in which the transaction is originally undertaken and again dif-
ferent from the firm processing the transaction.
99
M05_BLUN7323_01_SE_C05.indd 99 29/06/2010 09:52

Geographic location
Recording where an event happens is important from an operational risk man-
agement perspective. There may be control weaknesses which are inherent in a
particular location (perhaps due to ethnic culture) or, alternatively, which indi-
cate a better or worse control culture, as compared with other locations. Either
way, it is vital to understand each area’s control ability so that decisions on
improving controls can be taken based on knowledge, rather than take a blan-
ket approach, possibly based on guesswork.
Business activity
Identifying the particular business activity or product line is useful, especially
in a group where business units in different companies may be involved in
the same activity or in selling similar products. It helps to achieve consistent
reporting, both within the group and if external reporting is necessary, perhaps
to a government body or regulator, although it is not often that the taxonomy
of external reports conform to internal ones. Recording the business activity
can also identify units where controls which are operated across a particular
activity have failed, or appear to have been particularly successful, and point to
improvements which will benefit the whole group.
An example of business activities used by an industry is the table of busi-
ness lines set by the Basel Committee in its Revised Framework issued in June
2004 (see Table 5.1). These are focused on profit centres (as given by the name
‘business lines’). But cost centres are just as valid. Significant operational risk
events can occur in, for example, HR, the legal division, IT or even the CEO’s
office. In fact some of the biggest risks lie at the door of the CEO’s office.
Examples range from unguarded statements (Ratner) to outright fraud (Enron
and Maxwell).
Firms should, of course, draw up their own schedules of business lines or
activities. The list given in Table 5.1 is bank-related. In banking, all banks can
draw up their own lists, but have to be able to map them to the ‘Basel’ busi-
ness lines. Whilst a common taxonomy may help regulators to compare firms
and jurisdictions, there is a danger that firms simply adopt the regulators’ tax-
onomy, without really thinking about what is useful for their business.
The Basel business lines are, in fact, often fairly meaningless even to many
financial services firms as there are relatively few firms which span a significant
number of business lines. Firms which cover only one or two business lines,
such as for example asset managers, are far more likely to analyse the loss data
at a detailed level which is relevant to them. They may prefer to categorise loss
data by fund type or by each fund. It is common for the trustees of a fund to
require notification from the manager of losses which have been suffered by the
fund above a certain level, either an absolute monetary amount or a specified
percentage of the fund assets under management.
100
M05_BLUN7323_01_SE_C05.indd 100 29/06/2010 09:52

Generic financial services business lines Table 5.1

Business lines
Level 1 Level 2 Examples of activity groups
Corporate Corporate finance Mergers and acquisitions, underwriting,
finance privatisations, securitisation, research,
Municipal/
debt (government, high yield), equity,
government finance
syndications, IPOs, secondary private
Merchant banking placements
Advisory services
Trading and Sales Fixed income, equity, foreign exchanges,

sales commodities, credit, funding, own
Market making
position securities, lending and repos,
Proprietary positions brokerage, debt, prime brokerage
Treasury
Retail banking Retail banking Retail lending and deposits, banking

services, trust and estates
Private banking Private lending and deposits, banking
services, trust and estates, investment
advice
Card services Merchant/commercial/corporate cards,
private labels and retail
Commercial Commercial banking Project finance, real estate, export
banking finance, trade finance, factoring, leasing,
lends, guarantees, bills of exchange
Payment and External clients Payments and collections, funds transfer,
settlement clearing and settlement
Agency services Custody Escrow, depository receipts, securities
lending (customers) corporate actions
Corporate agency Issuer and paying agents
Corporate trust
services
Asset Discretionary fund Pooled, segregated, retail, institutional,
management management closed, open, private equity
Non-discretionary Pooled, segregated, retail, institutional,

fund management closed, open
Insurance Life Life, annuities, pensions, health

General Property, motor, third party liability, crime,
credit and suretyship, marine, aviation,
transport
Retail brokerage Retail brokerage Execution and full service
Source: Basel Committee on Banking Supervision, International Convergence of Capital Measurements and
Capital Standards: A Revised Framework, June 2004, Annex 6
101
M05_BLUN7323_01_SE_C05.indd 101 29/06/2010 09:52

Equally a regional retail bank will find significant business value in

categorising its losses by the detailed products it sells to its customers, or alter-
natively categorise by department. The choice is often determined by the level
of risk analysis undertaken by the firm. This will be influenced by, and will
influence, the level at which risk and control assessments are carried out.
Loss event type

Classifying losses by business activity or product line is important. But the
foundation of operational loss analysis is to be able to allocate losses to loss
event types. The difficulty with loss event types is to have enough to be able
to break down operational risk losses into sufficient granularity to be useful for
effective and intelligent operational risk management, without disappearing
into an unwieldy myriad of detailed categories. Those who handle volumes of
manual reports can tell you that in any batch, anything up to 30% of entries
will contain at least one data element which is incorrectly recorded. The more
loss categories you have, the more likely it is that events will be incorrectly
recorded, however excellent your instructions may be.
And remember that loss event types are not a substitute for risk types. You
need to be clear as to whether you are classifying risks or risk events. Risks are
generally ‘failures to . . .’ or ‘poor . . .’. Events are the manifestation of a risk
actually occurring.
Another example from the Basel Committee is given in Table 5.2. This is a
start for financial services firms, but is not detailed enough to provide mean-
ingful management analysis, even if it apparently helps the regulators to
understand the operational risk profile of banks. It also confuses causes and
effects with the events it is aiming to record.
How you classify loss events both is, and should be, up to you, but always
remember that how you classify will affect much of your operational risk
analysis.
Dates
It might be thought that the date of an event or loss is a fairly simple piece of
data to record. However, it can be difficult, particularly if the event occurred
several months before detection. Often the only clear date is when the event is
discovered. Some events occur over a period of time, in which case it is help-
ful to record the start and end dates. On the other hand, when an event is first
reported, it is often ongoing and it may be a number of months before it is
closed and the loss established.
Where the ‘event’ is in fact a number of separate events linked by a single
cause, such as the unauthorised trading undertaken by Nick Leeson at Barings
and Jérôme Kerviel at Société Générale, a single date may be inappropriate and
102
M05_BLUN7323_01_SE_C05.indd 102 29/06/2010 09:52

Generic financial services loss event types Table 5.2

Basel loss event types
Level 1 Level 2
Internal fraud Unauthorised activity
Theft and fraud
External fraud Theft and fraud

Systems security
Employment practices and workplace Employee relations

safety
Safe environment
Diversity and discrimination
Clients, products and business practices Suitability, disclosure and fiduciary

Improper business or market practices
Product flaws
Selection, sponsorship and exposure
Damage to physical assets Disasters and other events

Business disruption and system failures Systems
Execution, delivery and process Transaction capture, execution and
management maintenance
Monitoring and reporting
Customer intake and documentation
Customer/client account management
Trade counterparties
Vendors and suppliers
Source: Adapted from Basel Committee on Banking Supervision, International Convergence of Capital Measurements and
Capital Standards: A Revised Framework, June 2004, Annex 7
a period may work better. In that case, though, it is important to consider the
effect on estimates of likelihood, since dates are fundamental to this. In oper-
ational risk assessments, even dates are not as simple as they seem.
Description
At a minimum, a brief description of the event should be given. However,
some firms require event descriptions which can run to a page or more. Whilst
it is helpful to have all the information recorded, this may work against the
speedy and timely reporting of events – or even their being reported at all. A
well-run firm may have an absolute requirement for a brief description within,
say, 24 hours of the event being detected, followed by a more detailed descrip-
tion when sufficient information is available.
103
M05_BLUN7323_01_SE_C05.indd 103 29/06/2010 09:52

Causes
Cause lies at the heart of operational risk management. It is not enough to
know that an event occurred or nearly occurred. It is essential to understand
why, so that remedial action can be taken. Reporting events and not causes
means that they can be counted, but not managed. The cause of an event
should form part of the detailed description of an event, although it is more
helpful to report it separately. There is a danger, if cause, event and effect are
not separately identified, for the loss event type (of the types shown in Table
5.2) to be used as a proxy for causal analysis. There is relatively little loss of
business benefit by doing so if the point of the exercise is to provide a consis-
tent basis for assessing risk. But the point is often ignored.
There are certainly benefits to be gained through a more accurate descrip-
tion of the cause of an event and allocating causes to generic causal categories.
But the most important information in reports of loss events is to identify the
controls which have failed. At least a primary control failure should be identi-
fied, although firms should identify secondary control failures as well. A single
event is often the result of a number of control failures. Careful causal analysis
will identify priorities to enhance or improve controls.
Since a single cause can trigger a number of different risk events, linked
risks can also be identified by recording causes, as well as any risk indicators
which relate to the event. This will enable a holistic analysis of events to be
easily undertaken, which will link together the three fundamental operational
risk management processes of risk and control assessments, indicators and
event causal analysis.
Amount of loss and recovery components

As noted above, the impact of events can be divided into hard and soft as
well as direct and indirect. The hard direct impact, where it exists, is always
recorded. The other three categories may be recorded, depending on the rela-
tive sophistication of the causal analysis carried out by the firm. It should also
be recognised that the final amount of the loss may not be known for a number
of months and only estimates may be available when the event is first detected.
Alternatively, a first actual monetary value may be available immediately,
which may then require changing as the event progresses and more infor-
mation becomes available.
In a firm which operates in a number of currencies, particularly where an
event spans several countries, attention should be paid to the currency in
which the event and its subsequent increments are reported. In a group,
financial reports are usually anchored back to the head office currency as this
simplifies reporting and analysis at the group level. However, currency rates
vary over time and account must be taken of this. To prevent the confusion
104
M05_BLUN7323_01_SE_C05.indd 104 29/06/2010 09:52

which can occur if the amount of loss from an event is regularly recalculated
according to prevailing exchange rates, the simplest practice is to rely on the
exchange rate obtaining when the event is first reported. As rates fluctuate,
that could, of course, mask the materiality of a particular event, but it has the
merit of consistency.
One final issue is where a number of events, possibly relatively small in
value, are linked by a single cause, but in aggregate amount to a significant
figure. Let us return to the unauthorised trading losses incurred by Barings
and Société Générale, through the activities of Nick Leeson and Jérôme
Kerviel, totalling as they did US$1bn and €5bn respectively. Did each false
trade reflect the failure of a particular – or possibly the same – control, or were
they the result of a general cause, ‘unauthorised, or fictitious, trading’ by the
individuals concerned. Do you choose one aggregate amount, which is way
down the tail of your losses – how the events are often portrayed publicly –
or record each of the much smaller events, representing the individual control
failures which occurred?
The answer depends on your identification of control failures, or combin-
ations of control failures, but your decision will have a significant effect on
your risk modelling. It may also affect any insurance recovery. Does each event
fall below the policy deductible, and so is excluded, or is the aggregate sum
the amount covered? That obviously depends on the policy wording, but in the
end it goes back to the cause of loss.
Actions
The actions recorded can be divided into two types: immediate actions and
correct or improve actions. For example, when a laptop is lost, an immediate
action will be to disable the laptop’s access to the firm’s network. This is typ-
ical of an immediate reaction to the detection of an event. Following causal
analysis of the event, correct or improve actions may be:
OO a staff note reminding staff to lock all laptops in the boot of their car
when transporting them
OO a redrafted policy regarding to whom laptops will be issued
OO the purchase of encryption software to be installed on all laptops used
within the firm.
There is a clear difference between the two types of actions: immediate damage
limitation, followed by considered further action at amending and reinforcing
controls or the implementation of additional controls.
105
M05_BLUN7323_01_SE_C05.indd 105 29/06/2010 09:52

Additional information
It is helpful to allocate an owner to the loss so that there is clear responsibility
for achieving the actions necessary to ensure that the event does not happen to
the firm again.
Where a transaction or trade is involved, the unique transaction or trade
number is recorded, together with any relevant client details. This is, of course,
important if the event has a loss attached to it which may be passed back to
the client.
Internal and external notifications may also be necessary: internally to the
firm’s compliance, fraud or health and safety department, for instance; or ex-
ternally, to a regulator or government authority, depending on the type of
event that has occurred. And, of course, operational risk management must be
notified if they are not already aware.
All of these various elements come together in the type of loss reporting
form shown in Figure 5.2.
Figure 5.2 Example of a loss capture form
106
M05_BLUN7323_01_SE_C05.indd 106 29/06/2010 09:52

Who reports the data?

Some firms allow anonymous reporting of losses, whilst most require the
name of the person who detected the event. But the person who reports the
event may not necessarily the person who detects it. Some firms require the
name of the person’s manager and will send an automatic e-mail to the man-
ager as validation and confirmation of the event. That can, however, discourage
whistleblowing, which can be a useful source of identifying potential or actual
high-impact/low-frequency events.
In a firm with the right operational risk culture, it is understood that
reporting events is not about blame, but about learning. As Andrew Hughes
puts it in his book on the BP Texas City oil refinery disaster, Failure to learn,
‘Blame is the enemy of understanding’.1 Many firms have a loss reporting form
on their intranet which is available to all staff. In this case, staff are encouraged
to report events as they happen.
An alternative is for the operational risk leader or champion within the
detecting department or business line to make the report. The advantage of
this approach is that an operational risk leader will have some training in oper-
ational risk and will probably be a user of operational loss data. This should
mean that the data will be of a higher quality compared with data submitted
by an untrained person. However, there may be a time delay compared with a
submission by the employee who discovers the event.
Reconciling losses to the general ledger (or an audit) will provide valuable
confirmation and validation of the accuracy of reporting. However, it will not
identify events where there is no financial impact or, of course, events which
have not been reported – the lost data mentioned earlier.
Reporting threshold
The reporting threshold, the level down to which a firm seeks to capture oper-
ational risk events, is a cost–benefit decision. The Basel Committee has set a
threshold of e10,000 for loss reporting by banks. It is interesting that, in a
recent survey of over 100 banks from around the world, most had a thresh-
old of e5000 or below.2 A number of firms, including banks, have a policy to
report all losses, no matter what size.
The operational risk management departments of many firms which have
set a size limit generally monitor losses down to a lower level, since sev-
eral smaller losses can add up to one larger loss which is above the reporting
threshold. In this way continual small control failures are captured before they
turn into a significant value. Weak signals can often demand strong action.
Many firms believe that capturing small losses costs more than the benefit
achieved. However, a reporting threshold above zero will prevent a significant
107
M05_BLUN7323_01_SE_C05.indd 107 29/06/2010 09:52

amount of control failure being captured, including the majority of operational

loss events which in fact have a zero financial impact. These, and events where
there have been small losses, will be picked up by successfully implementing a
zero reporting threshold. Although large losses will still be captured and can
be analysed, it is easily arguable that the firm will miss data today which could
prevent a large loss from happening tomorrow.
Setting the reporting threshold is therefore a significant issue, the conse-
quences of which should be properly understood by at least the risk committee
and preferably the board.
Use of events
Causal analysis of events is critical for effective operational risk management.
The analysis can be used to challenge risk assessments and control assessments,
to validate indicators and to assist in the production of scenarios and stress
tests. Additionally, losses can be used in mathematical modelling for economic
capital allocation and for regulatory capital calculation.
Causal analysis and controls

The start of the causal analysis of an event is typically to determine which con-
trol or controls have failed. There are often a number of preventative controls
whose combined failure has led to an event occurring; some detective controls
may also have failed. It is important to determine the main controls which
have failed as this aids the design and implementation of action plans to pre-
vent the risk from occurring again.
Sometimes a risk has occurred because appropriate controls were not in place.
This is, of course, relatively easy to fix. However, it may be that it is acceptable
to the business for the risk to occur or that the implementation of controls to
prevent the risk occurring is regarded as too expensive. If so, it is important that
management understands and explicitly approves the acceptance of the risk.
Risk and control assessment

Once the main controls which have failed have been identified, scoring the
design and performance of the controls can be challenged with the objective
data of the event. In particular, if the performance of the control has been
rated as very effective, the frequency of failure for that control should be chal-
lenged if it has failed more than once in an agreed period. Although the design
of a control is more difficult to challenge directly through events, it is still
possible to draw some tentative conclusions through causal analysis and there-
fore to challenge this rating, as well as the performance rating.
108
M05_BLUN7323_01_SE_C05.indd 108 29/06/2010 09:52

The analysis of an event, whether or not a financial loss has occurred,

will also assist in challenging and validating the likely scoring of a risk in a
risk and control assessment. Looking at impact, it may be that an event has
occurred, but there has been no apparent impact. A check should nevertheless
be made to confirm both the impact and impact assessment shown in the risk
and control assessment and the risk owner asked to justify their assessment.
On the other hand, if there have been a series of impacts of similar value,
that is a good indication that the impact of the risk should be assessed at that
level. The risk owner may, however, feel that the firm has been fortunate in
managing the impact of the risk well and that a higher value is justified;
or that the firm has for a variety of reasons been poor at managing the risk
recently and that a lower value remains appropriate because systems and con-
trols have been tightened. Either way, the firm has challenged the subjective
risk assessment scores and created greater awareness of the value of both event
causal analysis and risk and control assessments.
Turning to the frequency or likelihood assessment, if three events of a cer-
tain risk have occurred in the past five months and the likelihood of the risk
has been assessed as low, it is important that the owner of the risk is chal-
lenged. It can often be easy simply to say that the firm, at least in relation to
this particular risk, has been experiencing a period of bad luck. However, it is
more likely that the assessment of likelihood has been unduly optimistic and
that the scoring of the likelihood should be revised upward.
Luck is a seductive and dangerous concept, which has no place in the cold
light of risk management. An event may be extremely random, and a concaten-
ation of events even more so, but they nevertheless happened. That may feel as if
the gods are against you, and it’s all unfair and unreasonable, but all events need
to be recorded and your assessments adjusted. Don’t ignore an event because
‘it was a one in a thousand year event’ or a ‘once in a lifetime’ event. ‘Once in
a lifetime’ events have a nasty habit of happening rather more often than that.
Outliers may not in reality lie as far out as we would like them to.
Indicators
Events and losses can also be used to validate indicators. If an indicator shows that
a control is starting to fail or that a risk is more likely to happen, some events
will be expected to occur. If the events do not occur, the indicator must be chal-
lenged in case it is not as relevant to the risk as was originally thought. It should
be borne in mind that a failure of one control will not necessarily cause a risk to
occur, as other preventative controls may be in place and working. Whether or
not this is the case can easily be seen from the risk and control assessment.
Equally, events and losses can be used to validate indicators of detective con-
trols. In a similar way to the validation of preventative controls, the size of the
events and losses is a guide to how well the detective control indicators are
109
M05_BLUN7323_01_SE_C05.indd 109 29/06/2010 09:52

performing. This is shown in more detail in the discussion on Figure 8.6 in

Detective and corrective control testing in Chapter 8, Modelling
Scenarios and stress testing

A significant use of events and losses is in the creation and validation of
scenarios and stress tests. The occurrence of real life events is a very useful
pointer towards the construction of plausible but extreme scenarios and stress
tests. By combining several events (each of which may occur on a reasonably
regular basis) the more extreme event can be built. Developing a scenario in
this way often leads to scenarios that are more easily accepted by management.
External loss databases

Up to now, we have been considering event information which is gathered
from within the firm. However, as can be seen from Figure 5.3, there are three
main sources of losses which are available for causal analysis. A firm’s own
losses are inevitably the primary source of loss data. But there are two other
sources of loss information which are external to a firm and which can yield
valuable and different information to operational risk management.
Figure 5.3 Sources of losses
Publicly available
Low frequency,
high impact
Own internal Losses Competitors’ internal
High frequency, low impact, High frequency, low impact,

medium frequency, medium medium frequency, medium
impact impact
Dealing first with information from competitors, a number of consortia exist

which capture the internal losses of a number of firms, on a sectoral, national
or international basis. Each consortium manager then anonymises the data and
redistributes the anonymised data to all its members. The oldest such con-
sortium in the financial services sector is the British Bankers’ Association’s
110
M05_BLUN7323_01_SE_C05.indd 110 29/06/2010 09:52

GOLD loss database, which started in 2000.3� Consortium databases are a good
example of the art of the possible. They often comprise only hard, direct losses,
rather than indirect loss amounts, because that increases consistency and elimi-
nates internal subjective assessments, including information which may be
price sensitive. But they provide valuable additional events, especially towards
the tail of the loss curve.
This type of data is inevitably of a similar type to a firm’s own loss data in
that it ranges from high frequency/low impact to medium frequency/medium
impact events. As such, it provides valuable validation and confirmation of
a firm’s own loss data. In addition, it can provide an early warning of losses
which have occurred to a competitor but are not yet occurring to your firm.
Given this warning, a firm is able to reassess its own controls in relation to
the risks being suffered by its peers and possibly reduce or even eliminate the
approaching losses relating to those risks.
A different type of loss database captures publicly available loss and event
data. These events are typically reported on the internet or in the media and
are of such a size or consequence that they are impossible to hide. Such data
are, by their nature, relatively rare, although they are the most valuable source
of data as losses of this size will rarely appear in a firm’s own data but are of a
size which could cause a firm to collapse. You can collect the data yourself, or
save some of the effort by subscribing to a firm offering that service and which
may be able to investigate further and provide a more objective analysis than
the information given in the press.
Finally, government agencies, such as the Health and Safety Executive, or
industry bodies, provide industry-wide information on events. As with all the
other external information, this is useful in helping firms to benchmark their
own performance and the quality of their controls.
Some health warnings on external data

Cultural differences – controls and risk appetite
Different risk cultures and risk appetites can distort the data. Often the con-
clusion of an analysis is that ‘the event could not happen here’. Whilst in all
probability that may be correct, it should be questioned carefully rather than
accepted casually. External data is more difficult to analyse, because the pre-
cise control environment cannot be known. Such data is nevertheless worthy
of committing time and analytical resources to, as it is vital to avoid what are
often significant losses.
Data completeness
The completeness of data in an external loss database is a major challenge to
anyone using the data for causal analysis. In a database consisting of competi-
tors’ internal losses, it is worth bearing in mind that the quality of reporting
111
M05_BLUN7323_01_SE_C05.indd 111 29/06/2010 09:52

by competitors may not be up to your standard. Although most firms belong-

ing to a consortium try hard to report all of their losses, no firm can be certain
that it has captured all losses above the consortium reporting threshold.
In addition, the larger the loss to be reported the greater the temptation to
reduce the size of the loss in case it is discovered which firm has incurred the
loss (despite the anonymisation of the data). There is also the temptation to
report only public knowledge, which may be very different from reality. One
final problem concerns losses which are subject to a court or insurance settle-
ment. The terms of the settlement often prohibit its publication in any form
beyond the parties concerned – another example of lost data.
Given that a legally binding obligation to report a loss to the consortium is
almost impossible to enforce, most consortia impose a moral obligation on a
firm rather than a contractual obligation. But, as we said above, we are dealing
with the art of the possible.
In a public loss database there will never be complete capture of data,
because the range of media from which reports are gleaned is worldwide, but
it will nevertheless provide information about large losses which, by definition,
are outside your experience.
Data consistency
A linked problem is the quality and consistency of the data. Even if the data
approaches completeness (which is highly unlikely), it is important that the
data is of good quality. It is inevitable that the quality of the data will vary by
consortium member with some members contributing the minimum required
and others giving significant amounts of information. It is not uncommon for
a significant percentage of data initially submitted to the data consolidator to
be returned to consortium members because the data requires cleaning or fur-
ther enhancement before it can be used by the consortium.
In a loss database recording public losses, knowledge of the control en-
vironment relating to each loss is very variable. This inevitably leads to a
problematic quality of data, when using it for causal analysis or modelling pur-
poses, as data consistency is vital to a meaningful analysis of either causes or
capital assessments. Public information is also unlikely to tell the whole causal
story, if only for good competitive or reputational reasons.
Scaling
One of the most significant problems with external loss data is how to scale
the loss with respect to another firm. For example, the Barings loss was in
the order of US$1bn. Barings was a well respected City of London bank with
a strong pedigree, although not large by international standards. It had a
number of offices (although, again, not a large number) around the world and
dealt in a wide variety of financial instruments. How should Deutsche Bank
consider the loss that Barings suffered? Clearly, Deutsche Bank is a much
112
M05_BLUN7323_01_SE_C05.indd 112 29/06/2010 09:52

larger bank than Barings and so could possibly suffer a much larger loss. But
how much larger? What multiplier should Deutsche Bank use? Should it
be based on the comparative number of staff, gross revenues, profitability or
something else which is in the public domain?
On the other hand, Deutsche Bank has more resources to hand, as it is a very
much larger bank. Maybe the loss that it could suffer from poor segregation of
duties should be smaller than US$1bn. After all, segregation of duties is a fun-
damental control that is an absolute requirement for the boards of many firms
whatever the industry. Additionally, large banks’ operational risk controls are
generally perceived to be better than those of smaller banks, notwithstand-
ing the large operational losses suffered by a number of large banks over the
years. In which case, how much smaller? Possibly an inverse of the ratio of the
number of staff, gross revenues or profitability?
A pragmatic approach is to scale each loss with respect to the particular fac-
tors that influenced the loss, if these are known. For the Barings loss, a firm
might first take into account the number of its branches which are small
enough to have a segregation of duties problem. This is because, in a small
unit, it is often impossible for complete segregation of duties; they tend to be
concentrated in the unit manager as there is no-one else who has the experience
and authority to carry out supervisory controls. Having established the number
of relevant branches, a further analysis is then made of the types of products
handled in those branches and their value. By combining the two factors, it is
possible to assess the likely effect of a similar incident on the firm concerned.
Using this method demands little detailed research about the precise size
or financials of the loss suffering firm, information which will probably be
historic and of little relevance. It avoids using probably spurious correlations
between firms by simple numeric multipliers of sales turnover or staff. It also
has the advantage that changes to the risk environment of the firm, such as
more or less small branches in the future or changes in the product range, will
naturally be reflected in the value of the potential risk impact. It doesn’t even
require knowledge of the precise amount lost by Barings. You only need to
know that the risk event happened and apply this knowledge to the firm’s
risk and control profile, from which a value is easily deduced. Go back to the
causes, not the numbers.
The main disadvantage of the pragmatic approach is that you need to exam-
ine each loss in order to determine what the relevant risk factors are. However,
the relevance of the result far outweighs the time required for this additional
work, which will be required anyway if several high level factors are captured
for each loss such as number of staff, gross revenues and profitability. Such an
examination is required only once for each loss and then additionally for new
losses as they are captured.
113
M05_BLUN7323_01_SE_C05.indd 113 29/06/2010 09:52

Using major events

As noted above, major events, whether internal or external, are particu-
larly valuable for operational risk management as these can cause the loss of
the entire firm. Of course, after a major event, many firms will carry out an
audit of the specific controls which failed (or are perceived to have failed) and
therefore caused the event, and take remedial action. But special audits can be
delayed for good business reasons and not all firms will carry out an audit. This
nevertheless begs the question: ‘How valuable is the historic data relating to a
major event?’ The answer is that major events are of use to conceptual, rather
than numeric, analysis in trying to get to the true causes of the events.
Timeliness of data
Event data degrades over time as the acceptable level of control environments
and people’s perceptions of control environments change. For example, as IT
environments change, manual controls will also change. Automated controls
are also frequently updated as software improves. So, any analysis of loss event
data must be careful to take the current environment into account.
Summary
Events, being what has actually happened, are probably the only hard facts we
have in operational risk to make judgements about the future. However, as we
have seen, the information we gain from them comes with a number of health
warnings. The data will never be complete. As events occur, they inevitably
affect behaviour, whether individual or corporate, which means that even if
we have captured information comprehensively and accurately, its usefulness
degrades over time.
The information gained from events validates and supports risk and control
assessments, the levels of indicators and scenarios, and is fundamental to assess-
ing capital requirements. But we should be careful that it does not bear too
great a load of expectation.
Notes
1 Andrew Hughes, Failure to learn (Sydney: CCH Australia Limited), 2009.
2 Basel Committee on Banking Supervision, Loss Data Collection Exercise, 2008.
www.bis.org.
3 See www.bba.org.uk/content/1/c4/65/05/GOLD_Brochure.pdf.
114
M05_BLUN7323_01_SE_C05.indd 114 29/06/2010 09:52

6
Indicators
Introduction
Key performance indicators and key risk indicators
Establishing KRIs and KCIs
Targets and thresholds
Periodicity
Identifying the leading and lagging indicators
Action plans
Dashboards
Summary
115
M06_BLUN7323_01_SE_C06.indd 115 29/06/2010 09:52

Introduction
Key risk indicators (KRIs) are a fundamental part of any comprehensive oper-
ational risk management framework and yet many firms seem to be puzzled
and confused by them. The confusion may be less if they are called IRKs
(indicators of risks which are key) or IKRs (indicators of key risks). They are
definitely not ‘key’ risk indicators as this leads to far too many indicators.
Many firms have identified several hundred indicators and are trying to
manage their businesses by using this number of key risk indicators. However,
it is highly questionable as to whether any business can truly have or indeed
manage that number of indicators of key risks – or have the number of key
risks which will give rise to several hundred indicators.
Other firms have striven for a very small number of indicators which will
tell them about the well-being of the firm overall. This approach brings to
mind a doctor trying to assess the complete state of your health only by taking
your blood pressure, your pulse and listening to your heart. Clearly a good
place to start, but definitely not to finish.
As can be seen in Figure 6.1 indicators are one of the three fundamental
processes of operational risk management. Indicators of risks which are key
can provide vital early warning signs to enable threats to the business and its
objectives to be managed before they happen. Such indicators are typically
called leading or predictive indicators. They give the current risk and control
levels, as opposed to historic or future values.
Figure 6.1 Typical operational risk framework, showing position of indicators
Governance
Reporting
116
M06_BLUN7323_01_SE_C06.indd 116 29/06/2010 09:52

6 · Indicators
As indicators give today’s levels of risk, they also enable trends in risks and
their associated controls to be investigated and analysed. This trend analysis
can help to predict events before they happen. It can also signal that escalation
criteria have been breached and so trigger management action.
Key performance indicators and key risk indicators

It is important to differentiate between key performance indicators (KPIs)
and key risk indicators (KRIs). KPIs are commonly used in business to assess
the current level of performance. Perhaps the most commonly used KPI is the
profitability of a business. From a risk perspective, profitability tells us about
the state of the firm’s entire risk exposure and its control performance in the
most recent period. However, it is a poor indicator of key risks as it tells us
very little about any particular key risk and nothing about how to modify the
risk exposure. The profit figure by itself gives no disaggregation by key risk (or
by control performance) and therefore little opportunity to manage the firm by
adjusting its risks.
KPIs, KRIs and KCIs Figure 6.2
K Risk I
Change in
likelihood or impact,
linked to RCA
K Performance I KIs K Control I
Change in Change in
business performance, design or performance,
linked business objectives linked to RCA
KPIs are about the performance of the business and are typically linked
directly to the business objectives. Examples of KPIs are: sales, revenues, prof-
itability, total costs, staff costs, premises costs and IT costs. Some, though,
can also act as KRIs. Examples could be: market penetration (risk: poor distri-
bution network), or board and senior management turnover (risk: loss of key
staff). By comparison, KRIs tell us about changes in the likelihood or impact
of a key risk and can be linked to a risk and control assessment.
Figure 6.2 shows how KPIs and KRIs relate to each other and also how they
relate to a third set of key indicators, key control indicators (KCIs). KCIs tell
117
M06_BLUN7323_01_SE_C06.indd 117 29/06/2010 09:52

us about the change in the design or performance of controls and again can be
linked to a risk and control assessment. KCIs fall into two categories: indi-
cators of those controls which mitigate individual key risks and indicators of
those controls which mitigate a number of risks.
Establishing KRIs and KCIs
Approaches to identification
Management support is essential for establishing indicators of risks which are
key. There are various approaches to identifying indicators of key risks and key
controls. Some of these are more likely than others to attract management sup-
port and drive.
They are:
OO using a blank sheet of paper
OO using existing management information
OO using an existing risk and control assessment.
Blank sheet of paper

Many firms start their identification of key risk indicators by starting with a
blank sheet of paper and setting down all the indicators they are able to articu-
late. This has the advantage that there are no preconceptions, but it ignores
any previous risk management work, in particular risk and control assessments.
Given that senior management should have been involved in the produc-
tion of the relevant risk and control assessments, this approach sends a clear
message that the risk and control assessment is of limited and narrow value,
rather than being one of the three linked and fundamental operational risk
management processes.
It also makes it difficult to identify which indicators are the best to manage
the key business risks. Additionally, the indicators are identified in isolation
and are not directly related to a risk.
Existing management information

Using existing management information has several advantages:
OO It uses business metrics which are well known and understood. This
means that senior management will be comfortable with the indicators
and more willing to take decisions based on them.
OO The data is more likely to be accurate as it’s in current use.
OO There is an implicit link to identified risks and controls as most man-
agers intuitively know their major risks and the controls that mitigate
118
M06_BLUN7323_01_SE_C06.indd 118 29/06/2010 09:52

6 · Indicators
them. This intuitive knowledge leads to a natural match between the

information used to control the business and the risk profile of the busi-
ness, as represented by the risk and control assessments.
However, there is no explicit link to specific key risks. It is therefore harder
to identify the indicators of key risks from indicators of normal risks. This
approach also makes it difficult to identify which indicators are significant,
although it can be argued that all metrics which are used on a monthly basis
by senior management should be significant.
Existing risk and control assessment

This approach has the advantage of using risk and control data which have
already been agreed and are linked to the business objectives (or processes),
assuming these have been used to identify the risks and controls, which they
should have been. It therefore builds on previous risk management work and
reinforces that work as being valuable and key in its own right.
Identification of key risks is relatively easy with this approach. Typically,
a key risk is identified as a risk with a gross/inherent high-impact score and a
gross/inherent high-likelihood score. If this approach identifies only a few key
risks, it is often expanded to include all risks which have a high impact, with
no attention being paid to the likelihood score.
Having defined the key risks, it is also easy to identify one category of key
controls, i.e. any control which mitigates a key risk. Another category of key
controls is any control which mitigates several risks, since the failure of this
control may have a significant effect on the firm. In Figure 6.3, a firm may
consider the key risks to be risks 1 to 3, although 4 to 7 may also be counted
as key. Then 11, 17 and 18 are also assessed as having a high impact, but their
likelihood is considered low, so it is probable that the firm will not consider
them as being key. All controls of risk 1, 2 and 3 will be considered as key
controls. Additionally, ‘Appraisals’ and ‘Staff training’ mitigate more than one
risk and so may also be considered key.
Having identified the key risks, it is now relatively easy, using knowledge
of the business, to identify indicators of the key risks which tell you about
the changes to their likelihood or impact and to the design or performance of
a key control. A good indicator will be easy to access and easy to understand.
Many risk indicators, typically around 60% to 70% of indicators of key risks,
are already being tracked somewhere in the firm. Whilst getting access to the
relevant Excel spreadsheet or database can initially be difficult, it is worth perse-
vering as data already in use are generally of a far better quality than new data.
It is common to identify a considerable number of indicators for each key
risk. The challenge is to find a small number of indicators which convey infor-
mation that is useful to the business, preferably using existing management
information. Ideally, there will be one or two indicators for the likelihood and
impact of a key risk and one indicator for each control which mitigates the key
119
M06_BLUN7323_01_SE_C06.indd 119 29/06/2010 09:52

Figure 6.3 Typical risk and control assessment
Owner(s) of
the control
of the risk
Owner(s)

staff
release’ products
3 2 6
process TB
regulations
KYC ALL 4 3 12
lending activities
Policy CK 3 4 12
system
Appraisals TB 2 3 6
fraud
launched
120
M06_BLUN7323_01_SE_C06.indd 120 29/06/2010 09:52

6 · Indicators
risk. In this way it is possible to achieve a manageable number of indicators

which will give a good picture of the current risk profile of the firm, such as
the one given in Figure 6.4.
Examples of risks, KRIs, controls and KCIs Figure 6.4
Risk Indicators
L = Likelihood
Risks I = Impact Controls Control Indicators
1 Failure to attract, recruit L: Staff turnover (annualized) –Salary surveys Employer salary survey ranking
and retain key staff
L: Offer/acceptance ratio –Training and mentoring Training costs
(percentage) schemes
L: Employer survey ranking –Retention packages for key staff Staff turnover
I: Client complaints (per week)
I: Error rates (per week)
2 Financial advisors L: Time spent on each client –Staff training No. of staff attending the
misinterpreted/fail to training courses
understand the
I: No. of complaints –Learning gained from previous
complexity of “equity
(per month) deals
release” products
–Review of individual needs in No. of staff queries
performance appraisal process
–Procedure manuals for Time from last update

processes (by month)
3 Poor staff L: No. of general meetings/ –Defined communication No. of internal newsletters
communication newsletters (per month) channels published
I: Staff morale (survey) –Documented procedures and No. of access to intranet pages
processes where documented procedures
and process are displayed
4 Failure to understand L: No. of front office queries to –FSA registration No. of FSA visits
the law and/or compliance office (per month)
regulations
I: No. breaching the law –Regular updates from various No. of newsletters published
(per month) sources from compliance department
–External training courses No. of newsletters published
by the staff after attending
training courses
5 Poor detection of L: Refer to controls –Anti-Money Laundering annual No. of people NOT attending
money laundering training Anti-Money Laundering course
I: No. of times money is –Circulation of British Bankers’ No. of circulars distributed
laundered (per year) Association awareness circulars compared to number of
circulars received
–Know Your Customer No. of potential clients rejected
due to Know Your Customer
Targets and thresholds

As noted above, establishing targets or thresholds linked to an indicator can be
very useful in setting escalation criteria for management action and in assess-
ing trends in indicators. Thresholds should be set by reference to the business
needs, and willingness to take a specific risk or to accept a level of control fail-
ure. The starting point is the required risk profile for the business. It is poor
practice to set thresholds with reference initially to the available data.
121
M06_BLUN7323_01_SE_C06.indd 121 29/06/2010 09:52

Figure 6.5 Threshold setting
In the example shown in Figure 6.5 a mean target has been set of 5 with
a green band of 4 to 6. The indicator has bands on both sides with an amber
band of 3 or 2 on the lower side and a value of 7 on the upper side. These
bands represent a breach of risk appetite. 1 or below is in the lower red band
and 8 or above is in the upper red band. At this level there has been a sig-
nificant breach of risk appetite. This is an example of an indicator which is
bounded on both sides and which has uneven bands.
It is also common for indicators to have one-sided bands, for example a
green band of 0 and 1, an amber band of 2 or 3, and a red band of 4 and above.
Indicators can also be binary, that is they move directly from a green band to
a red band. An example of this type of indicator might be the number of fatal-
ities on a construction site where the contractor will have a green level of 0 and
a red level of 1 or more.
Clearly these bands should be linked to the appetite of a firm. For example,
for the key risk ‘Loss of key staff ’ an indicator may be ‘Key staff turnover’ and
the bands agreed as in Figure 6.6.
Figure 6.6 Thresholds for ‘Loss of key staff’ risk and risk appetite for key staff turnover
Red Amber Green Amber Red

under 5% 5% – 9% 10% – 15% 16% – 20% over 20%
122
M06_BLUN7323_01_SE_C06.indd 122 29/06/2010 09:52

6 · Indicators
A firm may be willing to accept a key staff turnover of between 10% and
15%. The management of key staff turnover at this level may be delegated to
the relevant head of business. This level is considered to be normal and accept-
able for the business.
Key staff turnover between 5% and 9% and between 16% and 20% may be
regarded by the business as inconvenient and, for the upper range, expensive
but nevertheless tolerable. These levels of key staff turnover may be notified
to an appropriate senior manager or group, such as the risk committee, so that
action can be taken to bring key staff turnover back to the green band, if this is
considered appropriate.
Key staff turnover over 20% may be regarded as too expensive for the busi-
ness, both in terms of loss of corporate knowledge and of recruitment costs.
It will probably also result in disruption to the business and mean that some
months go by before stability and cohesion is restored to senior management.
Key staff turnover under 5%, though, may also be considered to be a ‘red’ indi-
cator, as being at too low a level for the business, since fresh ideas and new
approaches are often brought in by new key staff. Low key staff turnover can
also be a reflection of a senior management cadre which is relatively overpaid
and complacent. These levels of key staff turnover would probably be notified
to the board as well as the risk committee.
Validation of thresholds through experience

Thresholds can be validated through reviewing previous indicator data, where
it is available, and through a review of the losses incurred by the firm which
are relevant to the specific risk or control. Additionally, threshold validation
can sometimes be achieved by examining peers’ or competitors’ losses.
When looking at validation data, however, remember to allow for data
which changes in different periods. For example, the number of non-
productive days due to staff absence will be higher in the summer, when
holidays are traditionally taken, than in the spring or autumn.
Periodicity
Indicators can be tracked over various lengths of time (e.g. daily, weekly,
monthly or annually). Most typically, risk indicators are recorded on a monthly
basis although indicators of risks which are at a transaction level are often daily
or even intra-day. The periodicity of an indicator is largely irrelevant to using it
for managing a risk. Much more important is how frequently the risk changes.
An indicator linking a risk to a daily process or activity clearly requires
recording on a daily basis, for example an indicator which records whether
or not daily reconciliations of a bank account have been completed. Equally,
123
M06_BLUN7323_01_SE_C06.indd 123 29/06/2010 09:52

an indicator linked to a risk which is annual in nature only needs recording

on an annual basis, for example an indicator linked to the completion of an
annual regulatory return. However, the majority of indicators are recorded
on a monthly basis as this frequency gives the best balance between the effort
required to record the indicator and good management of the risk. Examples
are staff turnover and staff attendance at training courses, each of which may
reflect the level of competence of the workforce.
Identifying the leading and lagging indicators

As noted in the introduction to this chapter, risk indicators are sometimes able
to show when risks are more likely to occur; they can give early warning sig-
nals before risks happen. The challenge for operational risk management is to
identify which indicators are most likely to give the early warning signals, in
other words the ones which act as effective leading indicators. Clearly, indica-
tors that the risk is more likely to happen, likelihood indicators, are a good
place to start as these provide warnings before the risk event has occurred.
Equally, indicators about the impact of a risk event are lagging indicators and
will tell you about the effect of the risk when it has happened, and the likely
size of the impact. However, there is not necessarily a correlation between an
indicator’s numeric value and the final size of the impact. Indicators tell you
that the world may have become riskier, but not by how much.
For control indicators, a helpful technique is to use an internal audit meth-
odology of classifying controls. This divides controls into four categories:
1. Directive controls – controls which mitigate a risk through direction (e.g.
policies, procedures, terms of reference).
2. Preventative controls – controls which mitigate a risk through preventing
it happening (e.g. guards round a piece of machinery).
3. Detective controls – controls which mitigate the impact of a risk (e.g. fire
alarms or accounting reconciliations).
4. Corrective controls – controls which mitigate the impact of a risk through
correcting the effects of an event (e.g. disaster recovery site).
It is clear that indicators of preventative controls are leading indicators,
whereas indicators of detective controls will provide information about the
likely size of an event and are lagging indicators. The good risk management
practice of having a balance of directive, preventative, detective and corrective
controls to mitigate a risk is therefore very helpful in identifying leading and
predictive control indicators. This technique also provides a valuable challenge
to the management of risks in that the risk owner is able to see whether or
not the mitigation of the risk is balanced with a similar number of controls
124
M06_BLUN7323_01_SE_C06.indd 124 29/06/2010 09:52

6 · Indicators
operating before and after the event has occurred (see Identifying controls in
Chapter 4, Risk and control assessment).
Action plans
Collecting and monitoring indicators is of no use unless action is subsequently
taken. A firm will clearly wish to take action if a leading indicator shows that
the risk is more likely to occur. Action plans raised by indicators will be simi-
lar to other management action plans in that they will include the objective to
be achieved through completion of the action plan, the expected date of com-
pletion, the owner of the action plan and other typical items. However, there
will also be reference to the control which is failing (if applicable), the risk
which has been identified as more likely to occur and the possible impact to
the firm if the risk does occur. These points, which are linked explicitly to an
indicator, will be helpful in preparing a cost–benefit analysis for the action plan.
Dashboards
Indicators are commonly reported on dashboards, an example of which is given
in Figure 6.7.
As can be seen, a Red (R)/Amber (A)/Green (G) status column is very
common together with a trend indicator. These two columns provide a quick
view and guide the dashboard user as to which indicators to focus on first. It is
also common to record the most recent three periods and to have an average of
the most recent three in order to smooth the volatilities in the indicators.
Example of a KRI dashboard Figure 6.7
125
M06_BLUN7323_01_SE_C06.indd 125 29/06/2010 09:52

In Figure 6.7, the ‘Overtime hours’ has a ‘red’ status and is of concern
because of its actual level, although it is at least trending down. ‘Complaints
received’ requires attention because, although it is at ‘amber’, it has doubled in
this period. Additionally, although the ‘Temporary staff’ percentage is trend-
ing down, the change from the last period is relatively small.
Combinations of indicators can also tell stories. For example although the
risk of ‘Accounts not KYC (Know Your Customer) compliant’ is stable and
within the green band, the number of customers has increased significantly in
this period whilst the ‘Overtime hours’ and ‘Temporary staff’ percentage are
both trending down. These last two indicators may be indicators of how well
the control of ‘Operations KYC review’ is performing in mitigating the risk
of ‘Accounts not KYC compliant’. This leads to the conclusion that ‘Overtime
hours’ and ‘Temporary staff’ are likely to be leading indicators for the risk of
‘Accounts not KYC compliant’.
Summary
Indicators are valuable not only in monitoring business performance, but in
identifying changes in a firm’s risk environment and in the effectiveness of risk
controls. They are a fundamental part of the operational risk management pro-
cess and an essential part of monitoring operational risk appetite.
The important thing to remember is that a KRI is an indicator of a key
risk and a KCI an indicator of a control which relates to a key risk. If that is
understood, the number of indicators will be manageable and the business will
see them as valuable, thus helping to achieve buy-in for the whole operational
risk management process. Another tip to encourage buy-in is to use, as far as
possible, indicators which are already being used by the business. Inventing
new ones, or failing to involve the business in identifying and establishing
indicators, will be counter-productive and a waste of energy and goodwill.
Having considered the three fundamental processes of operational risk man-
agement, it is now time to ‘advance the framework’ and look at various aspects
of modelling and reporting operational risk data.
126
M06_BLUN7323_01_SE_C06.indd 126 29/06/2010 09:52

Part
advancing the
3
framework
7. Reporting
8. Modelling
9. Stress tests and scenarios
M07_BLUN7323_01_SE_C07.indd 127 29/06/2010 09:52

M07_BLUN7323_01_SE_C07.indd 128 29/06/2010 09:52
7
Reporting
Introduction
Common issues
Basic principles
Report definition
Reporting styles and techniques
Dashboard reporting
Summary
129
M07_BLUN7323_01_SE_C07.indd 129 29/06/2010 09:52

Part 3 · Advancing the framework
Introduction
There is little value in carrying out the processes in your operational risk
framework without good reporting. Informed decision making flows from
good operational risk reporting. Without it, poor decisions are far more likely
or, even worse, result in no decision making at all. It can be only too easy to
drown in operational risk data, and so be unable to produce information and
reports which support effective action plans to improve or protect your oper-
ational risk profile.
Good operational risk reporting is more difficult than it looks. With the wide-
spread use of Excel everyone thinks that they can write good reports. However,
little consideration is given to the fact that operational risk information is often
complex and presenting it to a broad and diverse audience is not easy.
Figure 7.1 Typical operational risk framework, showing position of reporting
Governance
Reporting
Common issues
Relevance to the audience

Operational risk reports may be directed at heads of departments, heads of busi-
ness lines, risk committees or the board. There are clearly differing needs in this
broad church of users. At one extreme, the board will generally require a report
giving headline risk information and highlighting exceptions and will assume,
unless told otherwise, that the rest of the risk profile is acceptable (or at least not
unacceptable). The board will not be interested in a report which details all the
operational risk data available to the firm. However, it may well ask for specific
130
M07_BLUN7323_01_SE_C07.indd 130 29/06/2010 09:52

7 · Reporting
and detailed information on a particular area. Indeed, such a request shows that
the board is fully involved in the operational risk management of the firm and
has read and digested the regular summary exception reports.
A CEO or head of business unit is unlikely to be interested in the detailed
activity level risks referred to in Chapter 4, Risk and control assessment.
Equally, the supervisor of a unit within a department will have little interest
in business level or process level risks. For an operational risk report to be of
use, it must capture and report on risks, controls, indicators and losses which
are pitched at the level of detail for the recipients of the report. Data must
therefore be in a form in which it can be tailored and presented to answer the
needs of a variety of audiences at any point in time.
Understanding of operational risk terms

Significant effort is needed to ensure that there is a common understanding
of the terms used in an operational risk report. This will typically involve
management awareness programmes, as well as a glossary in the operational
risk policy document (see Chapter 3, Governance). Even with this done, it is
advisable to make sure that the terms used in the reports are clear, in common
use throughout the firm, and mean the same thing to everybody who reads
them. For example, the term ‘severity’ may confuse a reader, if ‘impact’ is the
common term used in the firm.
Communication of key messages

Report producers often assume that the reader has the same knowledge of
operational risk as they do. This is rarely true. In addition, most senior man-
agement have considerably less time to read and digest a report than the
producer of the report took to produce it. Attention must therefore be given to
making sure that the report communicates the key messages. This can be done
in a variety of ways, often by techniques such as highlighting or using colours,
but take care not to overuse colours (see Shading later in this chapter).
Use of quantitative and qualitative information

As we have seen in various chapters in this book, operational risk management
generates both quantitative and qualitative data. A particular challenge for
operational risk reporting is, therefore, that of collecting, aggregating and inter-
linking both quantitative and qualitative data in reports. With a little bit of
forethought and planning, it is possible to generate reports which enable this to
happen naturally (see Report definition and Dashboard reporting later in this chap-
ter). Regrettably, most operational risk reports comprise only either quantitative
or qualitative data; the interlinking challenge is conspicuous by its absence.
131
M07_BLUN7323_01_SE_C07.indd 131 29/06/2010 09:52

For example, it is very common to have a report which contains qualitative

information about the risks and controls relevant to a particular business unit,
without any reference to the quantitative information provided by key risk indi-
cators and losses relating to the same unit. Whilst the head of a department or
business line may wish to know all his or her risks and controls, this is likely to
be the only audience which requires that information in isolation. Other users
will want information from all the key operational risk management processes.
Data collection and quality

A common (but misplaced) view in operational risk management is that reports
are not worth producing until the quality of the data is acceptable. Data quality
may be poor because it has not all been collected (e.g. the complete collection
of losses is notoriously difficult, as seen in Chapter 5, Events and losses); or
because operational risk management is not embedded in the firm (e.g. risk and
control assessments may not yet have achieved acceptance).
Reports which contain data of suspect quality should be clearly annotated.
They may still provide useful information, but they should also be used to
show the advantages which would accrue if data was of better quality. Whilst
such an approach works up to a point, it should be treated with caution. By
replaying poor quality data in reports to the producers of the data and their
seniors, you are in serious danger of compromising acceptance of good and
effective operational risk management throughout the firm.
Basic principles
What does this number mean? Why is it at that level?

These key questions often arise from reading an operational risk report. Most
operational risk reports are seen on a monthly basis and there can be an assump-
tion that the reader will remember the values given in the previous month’s
report. That is unlikely. The report will almost certainly be one of many that
the reader reviews. Context must therefore be given to a particular number or
information it contains, either from other numbers in the same report or from a
comparison with the previous period, expected range or agreed appetite.
Should I do something about it?

A good report should not simply give values but should guide the reader
as to whether or not action is required. Indeed, if a report does not point to
some form of action or decision, its existence should be questioned. Too many
reports are regularly produced whose purpose is long forgotten or whose
132
M07_BLUN7323_01_SE_C07.indd 132 29/06/2010 09:52

7 · Reporting
practical use has disappeared, if there was one in the first place. The pointer
to action can be explicit, as in a key indicator report showing that an indicator
is in the red band (see Chapter 6, Indicators), or implicit, as in a report show-
ing the risk appetite alongside a column of values. All reports, though, should
highlight the need for action or at least a decision on action. As we have said
before, if they don’t, drop them.
Timely reporting
A report is only useful if it is produced in a timely fashion. If a report fre-
quency is set as monthly, it is likely that the values in the report will or
may change on a month-by-month basis. It is therefore no good producing a
monthly report three or four weeks after the end of the month as it will have
relatively little value. Time has moved on and it is almost time for new values to
be calculated for the end of the following month. Equally, there is no point set-
ting a report frequency of daily or weekly if the values only change on a monthly
basis. Untimely reports like this will be ignored by management and will
actively work against embedding good operational risk management in a firm.
Reports continuously evolve

Operational risk reporting is, by its nature, a continuously evolving process.
This stems in part from the firm’s operational risk profile being itself in a state
of continuous change and in part from the dynamic nature of good report-
ing. The questions raised by, and asked of, an operational risk report are likely
to change as the risks, controls and indicators themselves change. This will
undoubtedly have an effect on the structure of the report and on the data con-
tained within it. Indeed, it could be argued that if an operational risk report
has not changed its structural detail in five or six reporting periods it is not
doing its job efficiently.
Risk ownership
Any risk report should enable management to take ownership of the infor-
mation. This may be done explicitly, with a risk owner clearly identified, or
implicitly through the identification of a department or business line. Either
way, and linking with the point above about identifying actions, a good oper-
ational risk report will precipitate effort to correct or enhance the operational
risk profile of the firm by the person who owns the risk which requires action.
An alternative, of course, is that the report shows that all risks are within the
firm’s risk appetite and that no action is required. If this is the case, it is debat-
able as to whether or not the risk appetite of the firm is too conservative. Even
a report indicating that no action is required can prompt a useful challenge.
133
M07_BLUN7323_01_SE_C07.indd 133 29/06/2010 09:52

Identifying and treating non-compliance

Allied to this, a report should identify where there is non-compliance with
either internal or external policies or regulations, and what action is going to
be taken to bring the firm back to compliance. This is, of course, fundamental
and echoes the point above about a report for the board identifying exceptions.
The board will also want to know what is being done about the exceptions by
whom and by when. If the exceptions have been authorised, the report should
show by whom and at what level.
Incentives to deliver operational risk strategy

Operational risk reports play a key role in clearly identifying the operational
risk strategy and how it is being achieved. A number of organisations use oper-
ational risk reports as an input to senior management and staff incentives. If a
department or business unit is doing its part in delivering the operational risk
strategy, this will be reflected in the operational risk reports. As we discuss
in Chapter 14, People risk, remuneration should reward good performance,
including non-financial aspects as exemplified by good risk management. Pay
should, in part, reflect good operational risk management performance, which
will be demonstrated both in and by good operational risk reports.
Define the boundaries

The boundary issue discussed in Chapter 1 – knowing what is included or
excluded in the firm’s definition of operational risk – also has an effect on
reporting. It is particularly important that the interdependencies of market,
credit and operational risks are recognised in operational risk reports. As an
example, a loss from a ‘fat finger’ event may have been viewed as a market risk
event five years ago. It is now almost certain to be viewed as an operational risk
event and care must be taken not to double count it in the market risk losses
as well as in the operational risk losses – or to lose it altogether if definitions
change in the interim. A further example, from the world of credit risk, is the
inability to perfect a lien over collateral deposited with the firm. This is now
likely to be viewed as an operational risk event, rather than a credit loss, which
would have been the case a few years ago.
This particular problem will be largely overcome if definitions of market
risk, credit risk and operational risk are clear. Additionally, a firm may develop
a boundaries document which explores these points and clarifies, through a
number of examples, the firm’s approach to risk boundaries.
Integration with other processes

Operational risk does not happen in isolation. There are a number of other
processes which are tangential to operational risk management. These include
134
M07_BLUN7323_01_SE_C07.indd 134 29/06/2010 09:52

7 · Reporting
performance measurement, compensation, audit and planning. Operational

risk reports should take these other processes into account and should not
repeat conclusions drawn from them. Instead, a good operational risk report
will, for example, add to audit conclusions and indicate risk acceptable actions
which can be taken on audit points. Repeating conclusions in different reports
is likely, at best, to lead to resources being wasted as a number of people seek
to solve the same problem and, at worst, to cause confusion and the possibility
that nobody resolves the problem.
Report definition
Before a draft design or prototype report is considered, it is important to define
the report. A definition of a report is usually a single sheet of paper, which
typically contains the following:
OO Name of the report. A clear name is preferable to a report code; a report
named ‘Risk and control assessment’ is self-explanatory, as opposed to one
headed ‘ORM1’.
OO Objective(s) of the report. This is often a difficult topic but a clearly stated
objective helps considerably in ensuring that the report is effective in use.
OO Distribution list of recipients. This will help to ensure that the report is
targeted at the right people and contains the right level of data.
OO Names of fields to be used. This will help to ensure that only the fields
required for the report are on the report, i.e. that there are no extraneous
data items on the report.
OO Calculations required in each field (before the report is printed).
This makes clear the calculations to the IT staff who will be producing the
coding for the report; it also helps the person requesting the report to think
through the requirements and therefore eliminates unnecessary manipu-
lation of the data.
OO Manual actions to be performed in each field (to obtain the final
report). These are any additional actions which may be required before the
report is ready to be used; there should very few manual actions, if any.
OO How to use the final report (including typical actions resulting
from the final report). This is a crucial part of the report definition; it
further clarifies the report objectives in a practical manner. The act of think-
ing through in detail how the report will be used challenges the report
requestor in terms of the necessity of the report and its differences with
existing reports. This section may even lead to other reports being recon-
figured or eliminated.
135
M07_BLUN7323_01_SE_C07.indd 135 29/06/2010 09:52

It is only after a report definition has been completed that a design or prototype
should be considered. These will, of course, be guided by the definition which
will remain a crucial document throughout report coding and production.
Reporting styles and techniques

Different styles are useful for different reports and desired outcomes. Using the
same set of data (see Table 7.1) we will now consider the effectiveness of differ-
ent reporting styles.
Table 7.1 Basic loss data

Loss type Jan Feb Mar Apr May Jun
Internal fraud 50,000 60,000 55,000 45,000 70,000 80,000
External fraud 70,000 100,000 45,000 35,000 25,000 20,000
Employment practices 40,000 20,000 5,000 3,000 15,000 20,000
Business practices 80,000 40,000 120,000 100,000 30,000 20,000
Damage to assets 30,000 5,000 7,000 10,000 2,000 18,000
System failures 35,000 25,000 45,000 15,000 18,000 30,000
Pie and bar charts

If the loss data just for January is reported on a pie chart (see Figure 7.2), it is
difficult to see which ‘slice’ of the pie is bigger, without further information.
Figure 7.2 Basic pie chart
Internal fraud External fraud Employment practices
Business practices Damage to assets System failures
136
M07_BLUN7323_01_SE_C07.indd 136 29/06/2010 09:52

7 · Reporting
Further context can be given in terms of percentages for each slice – see
Figure 7.3 – together with clearer labelling – see Figure 7.4 – which makes for
much easier reading.
Enhanced pie chart Figure 7.3
January losses
12% 16%
10%
23%
26%
13%
Internal fraud External fraud Employment practices
Business practices Damage to assets System failures
Further enhanced pie chart Figure 7.4
January losses
System Internal
failures 12% fraud 16%
Damage to
assets 10%
External
fraud 23%
Business
practices 26%
Employment
practices 13%
Alternatively, even a simple bar chart will enable easy comparison of the size
of loss types (see Figure 7.5).
137
M07_BLUN7323_01_SE_C07.indd 137 29/06/2010 09:52

Figure 7.5 Basic bar chart

January losses
System failures
Damage to assets
Business practices
Employment practices
External fraud
Internal fraud
0 20,000 40,000 60,000 80,000 100,000
2D or 3D
There has been a trend towards three-dimensional reports. Whilst this look
is ‘21st century’ the 3D reports do not always give information clearly or
quickly, as can be seen in the 3D column and line charts shown in Figures 7.6
and 7.7 which use the data given in Table 7.1.
Figure 7.6 3D column chart
120,000
100,000
Internal fraud
80,000 External fraud
60,000
Business practices
40,000 Damage to assets
System failures
20,000
System failures
0 Employment practices
Internal fraud
Jan Mar May
In Figure 7.6, a great deal of information is obscured by the columns in

the front.
138
M07_BLUN7323_01_SE_C07.indd 138 29/06/2010 09:52

7 · Reporting
3D line chart Figure 7.7
120,000
100,000
80,000
60,000
40,000
System failures
20,000
0
Jan
Feb Internal fraud
Mar
Apr
May
Jun
Internal fraud Business practices
External fraud Damage to assets
Employment practices System failures
In Figure 7.7, information is again difficult to access. This is in contrast to

Figure 7.8 which is a 2D line chart.
2D line chart Figure 7.8
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Jan Feb Mar Apr May Jun
Internal fraud Business practices
External fraud Damage to assets
Employment practices System failures
139
M07_BLUN7323_01_SE_C07.indd 139 29/06/2010 09:52

Although there is a considerable amount of information in this chart,

it is still possible to understand it quickly and therefore be able to draw an
informed conclusion as a basis for action.
Shading
It is easy to shade a table to indicate the status of a cell and to include poss-
ibly spurious accuracy through decimal values. Figure 7.9 is more cluttered
and more difficult to extract information from than Figure 7.10.
Figure 7.9 Losses for 6 months, showing thresholds
Loss type £ Jan Feb Mar Apr May Jun

Internal fraud 50,000.00 60,000.00 55,000.00 45,000.00 70,000.00 80,000.00
External fraud 70,000.00 100,000.00 45,000.00 35,000.00 25,000.00 20,000.00
Employment practices 40,000.00 20,000.00 5,000.00 3,000.00 15,000.00 20,000.00
Business practices 80,000.00 40,000.00 120,000.00 100,000.00 30,000.00 20,000.00
Damage to assets 30,000.00 50,000.00 7,000.00 10,000.00 2,000.00 18,000.00
System failures 35,000.00 25,000.00 45,000.00 15,000.00 18,000.00 30,000.00
In Figure 7.9, the eye is pulled to the masses of light and medium shaded
cells, rather than to the important information highlighted in dark tint, which
stands for red cells.
Figure 7.10 Losses for six months, highlighting red cells only
Loss type (£000s) Jan Feb Mar Apr May Jun

Internal fraud 50 60 55 45 70 80
External fraud 70 100 45 35 25 20
Employment practices 40 20 5 3 15 20
Business practices 80 40 120 100 30 20
Damage to assets 30 5 7 10 2 18
System failures 35 25 45 15 18 30
In Figure 7.10, loss amounts have been reduced to round £ thousands and
only the dark-tinted (red) cells are highlighted, the information which most
concerns the reader.
140
M07_BLUN7323_01_SE_C07.indd 140 29/06/2010 09:52

7 · Reporting
Dashboard reporting
Many reports feature in other chapters of this book. These focus on the chapter
topic, for instance risk and control assessment, indicators, events and losses.
However, it is important to draw the threads together so that a comprehen-
sive and cohesive approach can be taken to managing operational risk. Such a
report will show the major items of interest to the reader (and as noted above
these will be different for different readers). A report giving a range of infor-
mation, often in different formats to suit the particular topics being reported,
is usually called a dashboard. Two examples of a dashboard report are given in
Figures 7.11 and 7.12.
Dashboard report: risk performance Figure 7.11
Risk performance report MMM/YYYY
Gross level Net level Performance Appetite Overall
Risk Impact Like'h'd Impact Like'h'd Actual Trend from Target Better Action/ Rating
previous (Worse) Summary
Failure to Turnover Down 5% 15% (2%) Investigate

attract, recruit 17% poor survey
and retain key result
6th in Up 1 place 1st/ (3 places)
staff H H M-H M-L
survey 2nd/3rd
30 training Up 10 20 places +10
courses
Poor staff 1 general Level 1 general Level See action

communication newsletter newsletter above; no
H H M-H L further
Morale 3 Up 1 Morale 4 (Down 1)
action
Failure to 1 internal Down 1 2 per (Down 1) COO to

understand the update month investigate
law and/or poor
0 courses/ Down 1 1 courses/ (Down 1)
regulations H M-H M-H M-L performance
3 months 3 months
1 fine in Up 1 0 fines in (Up 1)
12 months 12 months
Poor detection 10 staff o/s Down 5 0 staff (10 staff) Chase

of money training outstanding outstanding
H M-H M-H L staff
laundering 15 SOCA Down 3 10 SOCA Up 5
reports reports
The risk performance report in Figure 7.11 gives the top four risks for
the firm. (This is commonly produced for the top 10 or top 15 risks.) The
indicators and events/losses for these top risks are given too, so that an over-
all operational risk picture is available. Actions and overall rating (on the
right-hand side) can be agreed at the risk committee. This report can then
be distributed to board members as a summary of the firm’s operational risk
status for its top risks.
141
M07_BLUN7323_01_SE_C07.indd 141 01/07/2010 13:49

Figure 7.12
142
Dashboard report: operational risk summary
M07_BLUN7323_01_SE_C07.indd 142
29/06/2010 09:53
7 · Reporting
Figure 7.12 provides summary risk information on the top operational risks
of the firm at a more detailed level of loss event type and extends the analy-
sis in Figure 7.11 to include more complete data on indicators and losses, as
well as more information on risk and control assessments. Whilst there may
be a loss of detail in any summary, salient information is brought out by dif-
ferent display formats. The summary table top left provides a good use of
colour which draws attention to risks which require action, as well as provid-
ing a clear indication of indicator trends, which is developed in the bar chart
at top right. The spidergram at bottom left is an effective way of highlighting
relative levels of risks and controls. The column and line chart at bottom right
provides a clear visual summary of the more detailed loss information just
above it.
Summary
Good reports are essential to good operational risk management. Key infor-
mation must be easily accessible and delivered in such a way as to support
informed business decisions on the firm’s operational risk profile. That sounds
easy and obvious, but is not so easy in practice. It is only too easy to be over-
whelmed by information which is not focused on readers’ needs. That can
include too much information, information which is not relevant to the reader
and information which may be relevant, but is not presented in a way which is
readily understandable. With operational risk, readers can be at every level of
the firm, so the range is wide.
All of those issues of communication and understanding are just as pertinent
when it comes to modelling operational risk, the subject of the next chapter.
143
M07_BLUN7323_01_SE_C07.indd 143 29/06/2010 09:53

M07_BLUN7323_01_SE_C07.indd 144 29/06/2010 09:53
8
Modelling
Introduction
Previous approaches to operational risk modelling
Towards an inclusive approach
Distributions and correlations
Practical problems in combining internal
and external data
Confidence levels and ratings
Obtaining business benefits from capital modelling
Obtaining business benefits from qualitative modelling
Summary
145
M08_BLUN7323_01_SE_C08.indd 145 29/06/2010 09:53

Introduction
Much has been written about the mathematical modelling of operational risk.
Unfortunately, almost all of the writing has been very mathematical and with
very little focus on the business benefits. It is almost as though the model-
ling of operational risk should be sufficient in itself as an intellectual exercise.
Modelling appears to be divorced in some way from the reality of the business
world. Yet there are considerable benefits which can be derived from mod-
elling and you do not have to wait for several years until you have collected
sufficient loss data. Modelling of operational risk can start as soon as the first
risk and control assessment is completed and it can help challenge and validate
the data in that assessment.
Figure 8.1 Typical operational risk framework, showing position of modelling
Governance
Reporting
As shown in Figure 8.1, modelling can use data from any one or more of the
three fundamental operational risk processes. It can change the qualitative data
obtained from risk and control assessments into monetary values and be used to
make sense of the plethora of loss and indicator data. In addition, when prob-
abilistic modelling is used, it provides vital validation of these processes by
enabling management to challenge the conclusions reached deterministically.
Modelling of operational risk can be used to determine the economic capi-
tal required to support the operational risks to which a firm is subject, as well
as to calculate regulatory capital requirements. By calculating capital by busi-
ness line and loss event type, modelling enables the capital to be allocated to
146
M08_BLUN7323_01_SE_C08.indd 146 29/06/2010 09:53

8 · Modelling
business units easily and fairly and supports a risk adjusted return on capital
approach to business management.
Previous approaches to operational risk modelling

Operational risk modelling has matured over the years. To see how it has
developed, and learn some lessons from the issues which have arisen in its
development, it is instructive to look at the efforts of the financial services
industry. Between the late 1990s and 2004, when the Revised Basel Accord
was issued, the financial services industry experimented with a wide variety
of modelling approaches for operational risk. The Basel Committee identified
three broad approaches:
OO internal measurement
OO loss distribution
OO scorecard.
Internal measurement approach

This was first floated by the Basel Committee in early 2001. It was a deter-
ministic approach based, to some extent, on the more advanced credit risk
capital calculation and therefore provided a consistent methodology for
advanced credit risk and operational risk calculations. The approach relied on
a firm having a comprehensive and complete database of losses experienced by
it over a considerable number of years. Its core was based on the popular deter-
ministic method of calculating the annual effect of a risk occurring: the annual
likelihood of the risk occurring multiplied by the value of the impact. Both
the annual likelihood and the value of the impact are calculated using a loss
database of a firm’s own losses.
The Basel Committee extended this approach by dividing impacts into
seven loss event types and eight business lines (see also Chapter 5, Events and
losses), giving a 56-cell matrix. Additionally, each firm was required to iden-
tify an exposure indicator which related to the scale of the firm’s activities in
a particular business line. The regulator provided a factor which translated the
firm’s expected loss into a capital charge for each cell. This factor was based on
industry-wide data and would in effect take each expected loss and increase it,
such that it became an unexpected loss. The combination of the factors of this
approach resulted in a formula which was summed for each cell in the matrix, i.e.
∑(PE × LGE × EI × γ)
where PE is the probability of an event over some future horizon, LGE is

the average loss given an event occurs, EI is the exposure indicator for that
147
M08_BLUN7323_01_SE_C08.indd 147 29/06/2010 09:53

particular firm, and γ (gamma) is the expected/unexpected translation factor

supplied by the regulator.
This is broadly consistent with the credit risk approach of using the PD
(probability of default) and LGD (loss given default) together with an EAD
(exposure at default).
Although this approach is easy to understand as it is deterministic, there are
several significant disadvantages:
OO Before applying this approach, a firm must collect losses in all areas for
a number of years. This means that no firm is able to use this advanced
method of calculation for its operational risk capital until it has collected
sufficient losses. Given that there are 56 cells and that at least 21 losses
are required in each cell for statistical significance to be achieved, a firm
has to collect several thousand losses before it can use this method from
a practical and mathematically coherent perspective. This level of collec-
tion is necessary because some cells will be very sparsely populated.
OO Even if the firm has collected many losses, the quality of the data is still
suspect unless there is a clear methodology for collecting losses which is
consistently applied by the firm over a number of years.
OO Allied to the first two points is the fact that very few firms which col-
lect loss data are confident that they have captured all operational losses.
Although a firm can confirm that the data it has captured has been
recorded correctly, by their nature operational losses are difficult to cap-
ture as there is generally little direct incentive for their reporting.
OO The approach assumes that the firm continues to operate in the same way
that it has done in recent years. If a firm enters a new area of business, it
will not be able to calculate its operational risk capital under the internal
measurement approach for a number of years. There are also assumptions
that the firm’s operational risk approach, appetite and methodology will
remain constant in order to generate comparable data.
OO This approach implies that past losses are a good indication of future
requirements of operational risk capital. It is well-known (and financial
services regulators require firms to make the point in a footnote to their
advertising) that the past is no guide to the future. This is in part due to
changes in controls which are made as a management reaction to oper-
ational risk losses.
OO As the losses collected are generally of the high-likelihood/low-impact
type, this approach assumes a fixed and stable relationship between the
losses experienced by the firm in the past and the unexpected losses
which may be experienced by the firm in the future. This is the equiv-
alent of extrapolating a curve which is derived from high-likelihood/
148
M08_BLUN7323_01_SE_C08.indd 148 29/06/2010 09:53

8 · Modelling
low-impact losses (that is around the 40th to the 60th centile) out to the
very high centiles (e.g. 99.9). Such an extrapolation is clearly suspect,
without using data which is closer to the very high centiles, and takes
no account of a particular firm’s risk profile, which may be better than
the industry’s generic profile. Additionally, the relationship between
expected and unexpected losses may be non-linear.
Loss distribution approach

In some ways, this approach is similar to the internal measurement approach,
even though external losses could arguably also be used and a probabilistic
methodology was directly applied. It was first raised by the Basel Committee
in September 2001. In this approach, the firm estimates the likely distribution
of operational risk losses over some future horizon for each loss event type/busi-
ness line combination, i.e. the 56-cell matrix noted above.
As the distribution is estimated either by reference to an existing loss data-
base or derived through, for example, Monte Carlo simulation, there is no need
for a gamma factor. Indeed, the distributions could vary by cell as a specific
distribution may be deemed to be more appropriate for a particular loss event
and business line combination.
This approach also neatly removes the internal measurement approach
disadvantage of the assumption of the relationship between expected and
unexpected losses, by deriving distributions directly from the data, from a
combination of the data and simulations of the data, or from prior knowledge,
perhaps gained through knowledge of the experience of other firms.
A capital charge is based on the value at a high centile of each of the 56 dis-
tributions which is to produce an overall capital figure. Mention was made of
the potential to use less-than-full correlations as it was recognised that simple
summing assumes a perfect correlation. The values from all cells relevant to
the firm are then added together. Mathematically:
∑ VaRle,bl
where VaRle,bl is the value at the required centile of the selected loss event (le)
and business line (bl) cell.
One serious flaw of the loss distribution approach is that it did not recog-
nise that it is mathematically incorrect to sum VaRs from different (and
possibly very different) distributions. However, the approach could be mathemat-
ically correct if an expected shortfall figure was used instead of the VaR, as the
expected shortfall is an average of all the VaRs at and past the relevant quantile.
The first four disadvantages for the internal measurement approach (see
p. 148) are equally valid for the loss distribution approach.
149
M08_BLUN7323_01_SE_C08.indd 149 29/06/2010 09:53

Scorecard approach
This is named after the balanced scorecard approach to management practised
by a number of large firms. This approach was also first identified by the Basel
Committee in September 2001. Although some firms using this approach
started with the internal measurement approach or loss distribution approach
for an initial capital calculation, the scorecard approach takes a more qualita-
tive view of operational risk capital. In practice, an initial capital is calculated
at either a firm or a business line level using data derived from either quali-
tative or quantitative techniques.
However the initial capital is calculated, it is modified through a forward-
looking component which is intended to reflect improvements in the control
environment which may reduce the frequency and/or the severity of future
operational risk losses. Changes to the risk profile may be reflected through
indicators of particular risks or the results of, for example, risk and control
assessments. Given the use of qualitative data, the results of this approach
must be rigorously challenged through the use of both internal and external
loss data.
A fundamental difference between a scorecard approach and the two
approaches above (based solely on loss data) is the inclusion of forward-looking
data derived from discussions with business line staff and reviewed by a cen-
tral risk function. The discussions and review often form part of the risk and
control assessments, as it is these which can easily be used to identify expected
risks to the firm in the future and its control environment.
A further difference using the scorecard approach is that the capital is cal-
culated from a single VaR value taken at the required quantile from a single
distribution created using the firm’s or the business unit’s entire data. This has
the advantage that it does not sum VaRs.
The advantages to this approach include:
OO If a firm acquires or disposes of a business or commences or ceases
trading in a new product, an assessment of the risks (and the capital
required) can be included immediately due to the forward-looking ele-
ment of this approach.
OO The forward-looking risk and control data can be used to compensate for
a lack of loss data.
OO There is, in theory, no need to wait for a number of years in order to
collect sufficient data. The inherent nature of these qualitative for-
ward-looking data is that they are refined and modified over time as
management becomes more confident with its risk methodology and as
the firm’s risk profile changes.
OO Although the data are subject to business judgement assumptions,
the assessment of risks and controls is often performed on a realistic
150
M08_BLUN7323_01_SE_C08.indd 150 29/06/2010 09:53

8 · Modelling
worst-case basis. This yields data that are significantly towards the very
high centiles and therefore the data used in a scorecard approach are
inherently more representative of data which can severely damage a firm,
than data solely from losses.
There are, however, a number of drawbacks to this approach:
OO The major assumption that business judgement is a good indicator of the
future capital requirements of the firm: the events of 2007/9, particu-
larly in the banking part of the financial services sector, show that this
assumption is just as flawed as the assumption that the past is a good
guide to the future. (See also Recognising and mitigating natural biases in
Chapter 9, Stress tests and scenarios.)
OO The quality of the forward-looking data can vary widely depending on
the extent of line management commitment. Some management can be
very willing to dedicate time and effort to determining a comprehen-
sive set of risks and controls. Others will view it as an intrusion into
their everyday work and may delegate the risk and control assessment
to inappropriate or inexperienced junior personnel. This is, of course, a
reflection of an unacceptable risk culture in the firm.
OO Whilst the two loss data based approaches derive distributions from the
data, the scorecard approach often requires a distribution to be assumed
for the probabilistic modelling. Distributions have different sizes and
shapes and this can affect the capital requirement. This drawback can be
overcome by taking capital requirement readings at whatever quantile
is used from a variety of distributions, as the modelling can be repeated
using as many different distributions as the firm sees fit.
Summary of the three approaches

A summary of the three approaches is given in Tables 8.1 to 8.3.
Assumptions analysis Table 8.1

IMA LDA Scorecard
Past is guide to future Y Y N?
Business/judgement is guide to future N N Y
Detailed accounting analysis is accurate Y Y N
Low-frequency, high-impact data is Y? Y N?
sufficiently available
(Un)expected fixed relationship Y N N
Likelihood/impact distributions N? Y Y
151
M08_BLUN7323_01_SE_C08.indd 151 29/06/2010 09:53

As can be seen in Table 8.1, the assumption that the past is a guide to the
future is clearly made in both the internal measurement approach (IMA) and
loss distribution approach (LDA). However, the scorecard approach could also
be challenged in that whenever the future is assessed, there is at least an inher-
ent bias towards what has happened in the past.
Equally, the assumption that ‘business judgement is a guide to the future’
is clearly made in the scorecard approach although the only way that the other
two approaches could be accused of making this assumption is through the
derived capital requirement which of course applies to the future.
As the data for the IMA and LDA are from losses experienced by the firm,
there is a clear assumption that those losses are recorded in an analysis by the
firm (most usually in the accounts/general ledger of the firm) and that this
analysis is accurate. The scorecard approach is likely to use losses suffered by
the firm as a form of back-testing and therefore the assumption of accuracy is
considerably less important.
As the IMA explicitly assumes a fixed and stable relationship between the
firm’s loss data and capital requirement, the use of low-frequency/high-impact
data is less important, although it will add to the accuracy of the capital
requirement if it exists. In contrast, the LDA makes no such assumption in
terms of a fixed and stable relationship and therefore the availability of low-
frequency/high-impact data is of much more significance. Again, although the
scorecard approach does not use loss data directly, its availability for back-test-
ing is useful and therefore sufficient high-quantile data will again add to the
accuracy of the derived capital requirement.
The only approach which assumes a fixed relationship between existing
losses and unexpected losses is the IMA.
In terms of distribution assumptions, the IMA does not use a distribution,
being a deterministic method for calculating capital, whereas the scorecard
approach definitely assumes distributions in its probabilistic modelling. The LDA
may assume distributions in the higher quantiles and also may assume a particu-
lar distribution is the best fit for a particular loss event type/business line cell.
Table 8.2 Data analysis

IMA LDA Scorecard
Objective (past) Y Y N?
Subjective (forward looking) N N Y
Quality analysis by Finance Finance Management
Quantity available Low? Low? Tailored
Collection time Long Long Short
Source Accounts Accounts Management
Use of external data Direct Direct Indirect
152
M08_BLUN7323_01_SE_C08.indd 152 29/06/2010 09:53

8 · Modelling
Table 8.2 analyses the characteristics of the data in the three approaches.
Clearly, the IMA and LDA both use objective (i.e. past) data and the score-
card approach may use it in assessing the future. Equally clearly, the scorecard
approach uses a subjective analysis of the risks that may be suffered by the firm
and of the controls that may be used to mitigate the risks. Both of these are
forward-looking although possibly influenced by past events.
Any quality assurance on the data will probably be provided by internal
audit for the IMA and LDA loss data whereas quality assurance on scorecard
data can only be provided by internal audit at a process level.
Whilst some cells in the Basel 56-cell matrix will have considerable loss
data, other cells will have very little loss data, if any. This means that the
statistical analysis in the LDA in particular may be poor due to a low quan-
tity of data. In comparison, the scorecard approach data will be tailored to that
which is required if line management can be engaged in the process.
To have sufficient data for loss event modelling you need at least 30 data
points for each risk, or combination of risks, which you are trying to model.
The time it takes to collect that amount of data is therefore as long as you
need, but could well be at least five years or longer for relatively rare risks.
As an example, the Basel Committee set a minimum of three years, ultimately
moving to five years, but the real time could be even longer. Timescales such
as these significantly affect the ability of a firm to start using advanced mod-
elling. And of course even five years of benign activity tells you little, as we
have seen with credit data in the period preceding the 2007/8 sub-prime prob-
lems. On top of which, old data can be largely irrelevant, since the internal and
external environments will almost certainly have changed.
Although the collection time for scorecard data is much shorter (as long as
it takes to complete sufficient risk and control assessments), the need to chal-
lenge the scorecard data through the use of appropriate and sufficient loss data
means that the three-year minimum may also apply to the scorecard approach.
However, the scorecard approach can be used by the business to gain signifi-
cant benefit before this time has elapsed (see Obtaining business benefits from
qualitative modelling later in this chapter).
The source of losses will ultimately be a value which is recorded in the
accounts in the IMA and LDA whereas management will provide the data for
the scorecard approach.
The use of external data can be either direct or indirect in the LDA or IMA,
whereas the scorecard approach will use external data both for back-testing and
possibly for the generation of relevant high-quantile risks. Direct use of ex-
ternal data in the LDA or IMA is dependent on appropriate conditioning of
the data, such as scaling.
153
M08_BLUN7323_01_SE_C08.indd 153 29/06/2010 09:53

Table 8.3 Other factors

IMA LDA Scorecard
Capital charge calculation Standard factor Individual Single %
percentages
People – training Significant Significant Significant
People – accessibility Difficult Difficult Easy
Rapid business value N N Y
Efficiency of controls Indirect Indirect Direct
Cost reduction support Indirect Indirect Direct
Transparency Low High Medium?
But other factors come into play, apart from the nature and quality of
assumptions and data. These are shown in Table 8.3. The capital charge cal-
culation in the IMA is deterministic and uses a standard factor. In the LDA,
individual VaR values are used and then summed to produce an overall capital
figure for the firm. In the scorecard approach, a single value is taken from the
overall distribution for the firm.
Training people to use any of the three approaches is a significant exercise:
OO The IMA requires a significant amount of training as loss data must be
captured firm-wide over a number of years in order to produce an accu-
rate value for the capital required. It also requires considerable acceptance
across the firm that comprehensive collection of internal loss data is a
worthwhile use of resource. This acceptance requires commitment from
everyone in the firm. This is difficult to obtain for capital modelling pur-
poses in that the resultant control gaps will almost certainly have been
closed and the capital suggested by the losses is therefore historic rather
than that required to provide support for future problems.
OO The LDA also requires a significant amount of training as, again, loss
data must be captured firm-wide, together with an understanding of
probabilistic approaches applied to operational risk amongst risk man-
agement and senior management.
OO The scorecard approach requires significant training for line manage-
ment in order that its assessments are comprehensive and consistent, as
well as an understanding of probabilistic approaches applied to oper-
ational risk.
The IMA can be difficult to assess as a concept because it incorporates a large
amount of data and exposure indicators, together with a translation factor sup-
plied by the regulator. The LDA may be inaccessible for many staff due to its
probabilistic approach for extending known losses into high quantiles for a
154
M08_BLUN7323_01_SE_C08.indd 154 29/06/2010 09:53

8 · Modelling
capital requirement. In contrast, the scorecard approach may be easier for man-
agement as it is based on management’s view of the risks which are likely to be
faced by the firm and the controls that will mitigate those risks.
Neither the IMA nor the LDA is able to give rapid business value, as con-
siderable time is required to collect the data. However, the scorecard approach
may give rapid business value, as the collection time for data is much shorter.
The efficiency of controls is tested indirectly through the IMA and the LDA
as control failures lead to losses and therefore there is an implicit link to the
capital required. As the scorecard approach directly assesses the quality of the
controls, it can also be used to challenge the efficiency of the controls by com-
paring the mitigating effect to the cost of controls (see later in this chapter,
Obtaining business benefits from qualitative modelling).
In the same way the IMA and LDA can be used indirectly to support
cost reduction, whereas the scorecard approach can be used directly to
support reduction.
The transparency of the three approaches is hotly debated. It can be argued
that the IMA has a low transparency because of the use of exposure indicators
(determined by the firm) and translation factors (determined by the regu-
lator or an industry body). Equally, the LDA uses the firm’s own losses (albeit
probabilistically) and it can therefore be said to be transparent. Whilst the
scorecard uses management’s own view of its forward-looking risks and of its
controls, the probabilistic approach may be viewed as lacking transparency.
Towards an inclusive approach

By considering the advantages and disadvantages of the above approaches,
it becomes clear that a firm must take into account internal losses, external
losses, the business and internal control environment, and scenario analysis,
within a comprehensive approach to modelling. This neatly combines the
quantitative and qualitative approaches. Alternative approaches which are also
possible but are less elegant are a loss distribution approach with a subsequent
qualitative adjustment to the capital outcome, or a scorecard approach, with a
subsequent quantitative adjustment to the capital outcome.
Is there a difference between good operational risk management practice and an

inclusive modelling approach?
It is often assumed that there is a significant difference in the work required
from the operational risk department and the business between good operational
risk management practice and the sophistication implied by an inclusive model-
ling approach. However, good modelling governance incorporates most of the
qualitative requirements for good practice as is shown in Table 8.4 overleaf:
155
M08_BLUN7323_01_SE_C08.indd 155 29/06/2010 09:53

Table 8.4 Qualitative governance standards

Governance standard Inclusive modelling Good ORM practice
Independent ORM function Y Y
Board, senior management Y Y
involvement
ORM integrated/documented Y Y
Capital allocation/incentives Y Y
Scenario analysis integrated Y
Regular ORM audits Y Y
External OR measurement validation Y Y
It can clearly be seen that most of the qualitative governance standards which
are essential in inclusive modelling are also essential good operational risk
practice. It is true that the depth of analysis may differ, for example, in the
external operational risk measurement validation where it will be less detailed
in good operational risk practice than in inclusive modelling. The capital allo-
cation and incentives for good risk management will also be to a different
depth and rigour. However, the only major item which stands separately in
inclusive modelling is integrated scenario analysis. It is arguable that any well-
run firm will include this in its business practices anyway.
Table 8.5 Quantitative governance standards

Governance standard Inclusive modelling Good ORM practice
Economic capital @, say, 99.9% Y
one-year holding period
Comprehensive loss data gathering Y (Y)
Loss data assigning Y (Y)
External loss data use – integrated/ Y
documented
Methodology/data periodic review Y Y
Judgement overrides documented/ Y (Y)
reviewed
Sufficient volume of data Y
Parameter/risk estimates: validated/ Y (Y)
documented/reviewed
156
M08_BLUN7323_01_SE_C08.indd 156 29/06/2010 09:53

8 · Modelling
A comparison of the quantitative governance standards, as shown in Table 8.5,

is equally informative. Clearly the need to calculate economic capital at, say,
the 99.9 centile for a one-year holding period, to integrate and document the
use of external loss data and to hold a sufficient volume of loss data are specific
to the inclusive modelling approach. However, the other governance essen-
tials are covered (albeit to a lesser depth) by good operational risk practice. It
is also true that a number of these are implicit within good operational risk
governance (reflected in Table 8.5 by a (Y)) rather than explicit. A firm
practising good operational risk governance should take account of implicit as
well as explicit needs.
The final, and important, factor about model governance is to ask whether
the board understands the modelling approach and whether it can trust the
results. On the first point, there is really no excuse for board members not
understanding the assumptions and principles on which the models are based,
including the basis of the mathematics. On the second, there should be a
robust and independent system of model validation. This can be undertaken
through peer review by modelling experts and business managers within the
firm, supported by effective and independent assurance from internal audit.
This will help to make sure that models are consistent and also help to eradi-
cate any bias in the process. If independent experts are not available, they will
have to be brought in from outside. Whichever approach is taken, models
should be thoroughly validated to provide comfort to the board who will use
them for business decisions.
Distributions and correlations

Many distributions can be used for modelling operational risk. Clearly, con-
tinuous distributions are relevant for impact or severity, whereas discrete
distributions are relevant for frequency or likelihood. Typical impact distri-
butions are lognormal, Gumbel, Pareto and Weibull, and typical discrete
distributions used are Poisson, uniform, binomial and negative binomial.
Mathematicians involved in operational risk modelling have their favourite
distributions. However, the choice of distribution has a smaller effect on the
capital requirement, whether economic or regulatory, than the quality of the pri-
mary data, such as the relevance of the loss to the firm, the accuracy of the risk
assessment score and the accuracy of the control assessment score. This further
underlines the importance of the quality and completeness of the primary data.
Similarly, there is much debate about the correlations of different risks and
risk categories in operational risk. Again, the correlations are less relevant
than the accuracy of the primary data. However, most risk managers have a
favourite pairing of risks (such as staff turnover and internal fraud) with corre-
lations which should be incorporated into any probabilistic analysis. It should
157
M08_BLUN7323_01_SE_C08.indd 157 29/06/2010 09:53

be noted that a perceived set of correlations will often lead to a non-positive

matrix (which can be confirmed if a Cholesky decomposition is used to test the
data) and therefore the resulting correlations will be mathematically invalid.
Such correlation matrices often become positive-definite (i.e. mathematically
valid) if the correlation is reduced to 0.2 or 0.15. However, at these low levels
of correlation it is questionable whether the time and effort spent on corre-
lations is worthwhile.
Practical problems in combining internal

and external data
Gaps
There are often gaps in the internal loss data. It is very common, for instance,
in banking for there to be a significant quantity of loss data in the loss event
type ‘Execution, delivery and process management’ for all firms and, for retail
banking institutions, in the loss event type ‘External fraud’. This may be
because senior management gets to know about fraud losses or because they
come directly from the general ledger. Either of these reasons means that fraud
loss reporting is not reliant on individual staff reporting the loss. However,
some loss event types such as ‘Damage to physical assets’ have a historically
low data count. In order for data to be significant, there must be sufficient
data points for reliable statistical modelling. For these purposes, at least 30
independent sets of data are required.
Scaling
Such gaps can be partially filled by external loss data. However, there is con-
siderable debate around how to scale external data for a particular firm. For
example, what scaling factor should be used in order to adjust the loss suf-
fered by a Barings or BCCI to a particular firm’s risk profile? A number of
commentators have suggested metrics such as number of staff, gross revenues
or the number of trading tickets processed. However, there is no evidence to
show that losses can be scaled using such metrics. The answer, as we saw in
the section on scaling in Chapter 5, Events and losses, is that precise scaling
is not possible, but an assessment can be made by identifying common factors
between the loss-suffering firm and your own and extrapolating an answer on
that basis.
158
M08_BLUN7323_01_SE_C08.indd 158 29/06/2010 09:53

8 · Modelling
Data cleansing
It is very clear that models using external data are particularly sensitive to the
data, as its principal impact will be on the extreme right-hand end of the curve
from which a capital figure is taken. As such, cleansing of external loss data is
vitally important when it is used for modelling. The term ‘cleansing’ denotes
the process of checking that the losses are relevant to the firm and determining
an appropriate size of the loss with respect to the firm.
Whilst the appropriate size can be determined through some form of scal-
ing, as discussed above and in Chapter 5, the relevance of the loss to the firm
is the first step in the process, as there is no point scaling a loss which is not
relevant. To understand the relevance, it is important to have a narrative in
the external data which comments on the cause of the loss. A full and accurate
description is therefore required.
It is of course clear that, for a financial services firm, a trading loss made
through a ‘fat finger’ error by a competitor is relevant, at some size, to another
trading firm. Equally, this loss is unlikely to be relevant to a small retail finan-
cial services firm. However, a loss suffered by a retail bank through mortgage
fraud may be conceptually relevant to a trading firm if the loss was caused
through poor documentation standards. Such standards are equally applicable
to a trading and sales firm and are particularly relevant if the trading and sales
firm conducts, for instance, over-the-counter derivatives.
Additionally, there may be losses made by firms outside the financial ser-
vices sector which are directly relevant to a financial services firm. For
example, the British Airways and Gate Gourmet outsourcing case, mentioned
in Chapter 13, Outsourcing risk, is directly relevant to almost all financial ser-
vices firms, as outsourcing is significant in their industry.
It is therefore important for external data to be carefully challenged, both in
terms of relevance and size, before putting such data into a model. This chal-
lenge does not have to be carried out every time the model is run, although it is
appropriate to review previous challenges on a periodic basis, such as an annual
review. Similarly, it is also appropriate to challenge internal data when the
firm’s business model changes, when there are significant changes in the market-
place and as it degrades over time and may become only partially relevant.
Weighting the cells

In the IMA, each cell is given an exposure indicator which effectively gives a
weighting to that cell. It may be appropriate for the model to have a weight-
ing factor, depending on the exposure of the firm to that particular loss event
type/business line combination. The weighting may be occasioned by a par-
ticular downturn in the markets relevant to a business line or by the firm
deliberately decreasing or increasing its exposure to a business line, either in a
159
M08_BLUN7323_01_SE_C08.indd 159 29/06/2010 09:53

discrete fashion through, for example, hiring a trading team or in a slow con-
tinuous fashion by, for example, a measured withdrawal from that market.
Taking insurance into account

One challenge for modellers is how to take insurance into account. Often a
manual adjustment is made to the relevant cells following the calculation
of the gross capital. Alternatively, a very sophisticated model may allow the
entering of insurance details such as the deductible and the claims limit so that
these can be automatically taken into account. However, this means that each
insurance contract must be mapped to a firm’s loss event types and business
lines and those of any regulator to which it has to report. This is a challenging
exercise because of the number of potential overlaps between policies, causes of
losses and loss event types (see Mapping in Chapter 11, Insurance).
Fat tails
The term ‘fat tails’ is sometimes used, often somewhat disparagingly, during a
discussion about modelling operational risk events and losses. This refers to the
higher quantiles in a distribution and to the seeming paradox that a considerable
number of high quantile events have occurred within the last 15 to 20 years.
Figure 8.2 Lognormal distribution and ‘fattened’ tail
Lognormal distribution
Frequency
at low severities
Fattened tail
at high severity values
Severity
Internal (private) data External (public) data
Mathematically, very large events are only supposed to happen once in many
lifetimes. Yet any operational risk manager can name at least half a dozen very
large events they have experienced or been aware of, without even touching the
events of the financial crisis of 2007/9. To have a very large number happening
160
M08_BLUN7323_01_SE_C08.indd 160 29/06/2010 09:53

8 · Modelling
in such a relatively short timescale means that at least one of the assump-
tions underlying modelling must be incorrect. The most obvious assumption
to challenge is that the shape of the curve is correct. The response of many
mathematicians involved in operational risk has been to increase the size of the
tail above that which is demanded by the standard shape for a distribution (see
Figure 8.2). This inevitably increases the size of the capital required, but it
makes the model appear more in touch with reality, as higher losses demand
more capital.
Lognormal and bimodal distributions Figure 8.3
Lognormal distribution
Frequency
at low severities
Second distribution at
high severity values
Severity
Internal (private) data External (public) data
However, it is also possible that another distribution exists in the higher quan-
tiles which is largely separate from the distribution which covers expected
losses in the high frequency/low to medium impact part of the curve. The chal-
lenge for modellers is to model a bimodal distribution with one mode in the
expected losses area and a second in the low frequency/high impact area (see
Figure 8.3). Resolving this challenge is a significant mathematical exercise and
is beyond the scope of this book.
Confidence levels and ratings

If a firm is not bound by specific regulatory requirements, it has a choice of
confidence levels from which to choose. As a guide, the European insurance
industry uses a confidence level of 99.5%, whereas the Basel Committee’s
advanced operational risk approach uses 99.9%. It is interesting, however, that
regulators generally also choose a multiplier on top of the confidence level. A
multiplier may move a capital requirement from 3 to 7 standard deviations
161
M08_BLUN7323_01_SE_C08.indd 161 29/06/2010 09:53

and give a higher level of capital, as well as a greater level of confidence that
the capital requirement will not be exceeded.
Whatever confidence level is used, it is simply a guide to the capital
required. For example, a confidence level of 99.9% for a holding period of one
year means that on average the capital required will not exceed that level except
for a 1 in a 1000 event occurring. This therefore requires many years (if not
thousands!) to pass before the average capital required can be stated with some
degree of certainty. Clearly this can only be an approximation in our lifetimes,
as has been amply demonstrated during the 2007/9 financial crisis.
Obtaining business benefits from capital modelling

In a report from any capital model using a cell approach there will be many
cells containing valuable business data which can be used to give information
on the quality of the firm’s controls and the capital needed to support each of
the businesses.
Figure 8.4 Model output example: capital requirement
In Figure 8.4, the capital requirement of approximately £283m can be seen in

the bottom right-hand cell. However, this output can yield significant busi-
ness information. For example, in the ‘Employment Practices & Workplace
Safety’ column it can be seen that Corporate Finance has a capital require-
ment of approximately £16m whereas ‘Trading & Sales’ has a requirement of
approximately £2 million for the same Basel loss event type. Both Corporate
162
M08_BLUN7323_01_SE_C08.indd 162 29/06/2010 09:53

8 · Modelling
Finance and Trading & Sales are regarded by Basel as higher-risk business lines
and both attract a weighting of 18% under the Standardised Approach to capi-
tal calculation. If both businesses have a similar number of staff and a similar
culture within the firm whose AMA output is represented in Figure 8.4, it
is likely that the capital required for risks under the ‘Employment Practices
& Workplace Safety’ heading will also be similar. Why then are the capital
requirements so different?
There are at least three explanations:
OO Corporate Finance has been through a very difficult period in terms of
staff relations and has had to make a number of out-of-court settlements.
If this is the reason, clearly some senior management work is necessary in
order to improve staff relations in Corporate Finance.
OO Corporate Finance has been assiduously submitting its losses and events
to the Operational Risk Department whereas Trading & Sales has inad-
vertently or otherwise not disclosed all of its events. If this is the reason,
clearly some work is necessary with senior staff in Trading & Sales in
order to encourage them to disclose all of their events.
OO Trading & Sales has very good controls which have both prevented
losses from occurring and, when they have occurred, the losses have been
detected quickly and the control failures have been corrected without
delay. If this is the reason, management should determine whether the
good quality controls in Trading & Sales can be replicated in Corporate
Finance (and in other high-capital requirement areas such as Retail
Banking and Retail Brokerage). Such replication will significantly
reduce the amount of capital required to run the firm.
Similarly, in the ‘Business Disruption & Systems Failures’ column there is a
very small capital requirement against Agency Services. Either very good con-
trols (perhaps a hot standby computer system) exist in Agency Services for
Business Disruption & Systems Failures or Agency Services is very dilatory
in reporting events and losses and also has assessed its business and internal
control environment as excellent (i.e. its risks are very low and its controls are
very good). If good controls exist then it will be very worthwhile investigat-
ing whether these controls can be replicated in, for instance, Retail Banking
or Retail Brokerage where a substantial reduction in capital could be achieved.
Linking model data and reports

It can also be helpful to look at the number of losses reported and to link these
with the value of capital required. Figure 8.5 gives the numbers of internal
losses recorded relating to the capital figures given in Figure 8.4.
Linking the number of losses in the ‘Employment Practices & Workplace
Safety’ column for Corporate Finance and Trading & Sales to the capital
163
M08_BLUN7323_01_SE_C08.indd 163 29/06/2010 09:53

Figure 8.5 Model input example: number of internal losses (part of the data
used to generate the output in Fig 8.4)
requirements in Figure 8.4 gives a clearer picture of which of the three possi-
bilities above are more likely. Given that Trading & Sales has only reported 39
events against Corporate Finance’s 95 events, it would appear that the second
possibility is more likely, i.e. Trading & Sales has not reported all of its events
and losses, whereas Corporate Finance has been very diligent. However, the
third possibility remains feasible and clearly the next step is a short investi-
gation of Trading & Sales to see which of these two remaining possibilities has
actually occurred.
In much the same way, Agency Services having only one event reported
requires further investigation. In both cases, the firm will benefit from either
better reporting of losses and therefore better data on which to manage the
businesses or from good controls in one business being developed and imple-
mented in other businesses. Either way the firm’s operational risk profile will
be better managed and potentially significantly reduced.
Preventative control testing

Even a brief glance at the two screens shows that there are many other chal-
lenges which can be made which are of business benefit. As the number of
events reported relates directly to the quality of the preventative controls, an
examination of Figure 8.5 will yield data about the quality of the preventative
controls. For example, in ‘Clients, Products & Business Practices’ Trading &
Sales and Commercial Banking both have relatively low numbers of events and
therefore possibly very good preventative controls.
164
M08_BLUN7323_01_SE_C08.indd 164 29/06/2010 09:53

8 · Modelling
However, by also looking at Figure 8.4, it can be seen that Trading &
Sales has a much higher capital requirement than Commercial Banking for
this loss event type. This implies that when Trading & Sales has a loss in
‘Clients, Products & Business Practices’ it is a much larger loss on average
than Commercial Banking. Clearly, assuming the transaction size and busi-
ness practices of these two businesses are similar, Commercial Banking is able
to minimise the size of its losses at the same time as minimising the number
of its losses. Any business practices which can be copied from Commercial
Banking into Trading & Sales, Retail Brokerage and/or Asset Management
will again substantially reduce the capital required by the firm.
Detective and corrective control testing

The ability to minimise the size of losses speaks directly to the quality of the
detective and corrective controls operated by the business line. Good detec-
tive controls will reduce the possibility of the loss growing through lack of
detection. Good corrective controls will rapidly return the firm to the pos-
ition that it was in (or better) and thereby also minimise the size of the loss.
Modelling can show areas where the firm has good detective and corrective
controls through the average size of the loss and, more particularly, through
the standard deviation of the size of the loss. (The standard deviation of a set of
numbers can be obtained through the standard formulae in Excel.)
A large standard deviation indicates that the detective and corrective con-
trols are poor as the impact of a risk has a wide number of values. In contrast,
a small standard deviation indicates that the controls contain the impact of the
risk event to a relatively small range of values around the average. Figure 8.6
shows this in graphical terms.
Small, medium and large standard deviations Figure 8.6
large sd
medium sd
Frequency
small sd
'wide' distribution with

poor detective controls
'medium' distribution with

adequate detective controls
'tight' distribution with

excellent detective controls
Severity
165
M08_BLUN7323_01_SE_C08.indd 165 01/07/2010 13:54

A standard deviation of a set of losses, typically represented by the losses

relating to a single cell in the 56-cell matrix, is a common input to or output
from a model. Examination of the standard deviations will yield conceptually
similar challenges and business benefits to those noted above in the examin-
ations of capital requirements and numbers of losses.
Obtaining business benefits from qualitative modelling

Significant business benefit can be obtained from modelling risk and control
assessments by themselves. This means that the business benefits of modelling
can be achieved by firms much more quickly than waiting for significant vol-
umes of internal loss data to accumulate.
Risks
Risk and control assessment data can be modelled through using standard
Monte Carlo simulation techniques. An output example for risks is shown in
Figure 8.7.
Figure 8.7 Risk and control assessment model output example:

potential gross and net losses
Sourcce: Courtesy of Chase Cooper Limited
166
M08_BLUN7323_01_SE_C08.indd 166 29/06/2010 09:53

8 · Modelling
A risk and control assessment model will take the risk and control scores
assigned during an assessment and model these through simulating the poten-
tial losses using a given distribution.
As can be seen from the histogram in Figure 8.7 there are three risks
(RSK00004, RSK00013 and RSK00020) which have significant modelled
net losses (pale bars). Their net values of approximately £6m, £3m and £1m
respectively can be read from the detailed spreadsheet below the histogram.
It is not surprising that most risks have a net loss as the data has been
modelled at a confidence level of 99.9%. What is surprising is that three
risks (Overdependence on outsourcing; Poor employee incentives; Misaligned
employee goals) still have zero net risk even at the 99.9 quantile. It is most
unlikely, although possible, that the controls mitigating these risks are so
good that they are still operating perfectly at the average of the worst year in
1000 years. It is far more likely that:
OO the quality of the controls has been overstated
OO the number of controls mitigating the risk has been overstated, or
OO the independence of the mitigating controls has been overstated.
Clearly, if the controls are all scored with a top score for both design and
performance they are most unlikely to fail together and cause a net loss, par-
ticularly if there are two or three controls all with maximum scores. Equally,
if there are a number of controls, perhaps six or seven, it is very unlikely that
sufficient will fail in order to generate a net loss, even if some are rated below
maximum. The positive effect of having many controls can be compounded if
the controls identified are not independent. One of the fundamental assump-
tions underpinning all operational risk models which use control scoring is
that the controls are independent. If this is not the case, the model will over-
state the mitigating effect of the controls.
Controls
An alternative way to look at a risk and control assessment is through the
controls. Rather than have the model aggregate results by risks it is also of
business benefit to have the model aggregate results by controls, particularly as
one control may mitigate several risks.
Figure 8.8 gives the reduction in risk exposure achieved by each control
and, taking into account the cost of each control, gives the net benefit of the
control. This enables a firm to see the net reduction that a control gives in
risk exposure. It can be seen at the top of Figure 8.8 that ‘Salary surveys’ and
‘Training and mentoring schemes’ give high values of control benefit after cost
with ‘Defined communication channels’ giving the highest benefit. It is inter-
esting that ‘Retention packages for key staff’ gives the second-highest control
benefit but only the fourth highest benefit after taking costs into account.
167
M08_BLUN7323_01_SE_C08.indd 167 29/06/2010 09:53


potential control benefits
Sourcce: Courtesy of Chase Cooper Limited
At the other end of the scale, staff training and certification and client agree-
ments/marketing are both controls which cost considerably more than the
value that they bring to reducing the risk profile. The business question to
be asked now is whether these two controls can be operated at a lower cost,
while still achieving an acceptable mitigation of risk. In other words, is the
firm willing to spend that level of money in order to achieve a relatively small
reduction in risk profile? In some cases such a spend may be acceptable for
controls related to, for example, a regulatory risk which has to be mitigated in
order to comply with regulations. In other cases the choice will be much more
up to management to determine whether or not the reduction in risk justifies
the spend.
Risk owners
Figure 8.9 shows a comparison between the risk owners who were captured
during the risk and control assessment for gross loss, control benefit and net
loss. It is interesting to note that the highest net loss is risk owner DA, fol-
lowed by risk owner CK. It is to be expected that DA is the CEO of the firm
and that CK is one of the senior business heads. If this is not the case the firm
should ask itself whether it wants someone other than the CEO to be the largest
risk owner by value. It is also worth noting that risk owner TB has the largest
168
M08_BLUN7323_01_SE_C08.indd 168 29/06/2010 09:53

8 · Modelling
Risk and control assessment model output example: risk owner results Figure 8.9
gross loss exposure and also the largest control benefit, i.e. the controls for TB’s
risks almost completely mitigate the highest value risks in the firm. Is, perhaps,
TB being over-optimistic in his/her control assessment? And, therefore, is the
firm more exposed to TB’s risks than it has previously thought?
Ranking risks and controls
Risk and control assessment model output example: Figure 8.10

highest potential residual risks
169
M08_BLUN7323_01_SE_C08.indd 169 29/06/2010 09:53

With the basic simulations complete on risks and controls it is possible

to extract further business benefit by ranking them. For example a report
showing the 10 highest residual risks will give the firm the opportunity to
challenge whether, for example in Figure 8.10, ‘Poor staff communication’
is the risk in which the firm wishes to have its highest residual exposure. If
this is the case, modelling has validated the firm’s risk appetite. If this is not
the case, modelling of the risk and control assessment has given the firm the
opportunity to challenge and improve the controls around this risk.
Such a report is particularly helpful when a firm has carried out a consider-
able number of risk and control assessments and is wondering how to prioritise
its control enhancements. There will inevitably be a considerable number of
action plans, all of which will be vying for scarce resources and money. An
explicit statement of the monetary value of the potential net loss relating to
each of the risks is invaluable in assisting the prioritisation thought process.
Just as ranking risks can be very helpful to the firm, so too can be ranking of
controls, as shown in Figure 8.11.

best and worst controls
170
M08_BLUN7323_01_SE_C08.indd 170 29/06/2010 09:53

8 · Modelling
The obvious question for the firm to ask itself is: ‘Do we want this set of
controls to be our best performing controls and this other set to be our worst
performing controls?’ In particular, and looking at Figure 8.11, the firm’s board
of directors and senior management should be asking: ‘Are we happy that “AML
annual training” is only the eighth most effective control and are we also happy
that “Physical security” is in the list of our 10 worst performing controls?’.
Clearly these questions are dependent on management having faith in the
risk and control assessments, although the questions will inevitably challenge
the scores in those assessments. This has the effect of a virtuous circle where
scoring, modelling and challenging generate real business benefit through
modifying the risk and control environment to fit the risk appetite of the firm.
Summary
Modelling operational risk can be, but should not be, an abstruse ‘black box’
approach accessible only, literally, to rocket scientists. It can and should be
rooted in the core operational risk framework processes of risk and control
assessments, loss events and indicators, as we have shown in this chapter. And
its assumptions and principles should be understood by the board and senior
management. Since it is used for capital modelling it can have a direct impact
on reports on both product and business line performance.
Within operational risk, as with most things, there is no one methodology,
let alone a limited set of distributions which can be applied. As was said in the
early days of operational risk, ‘let a thousand models bloom’.
But even if the assumptions are understood and the methodology is thor-
oughly and independently validated, the nature of operational risk means that
its modelling should be hedged with health warnings. The greatest danger is
to take the number at a particular point and not the range of possibilities.
171
M08_BLUN7323_01_SE_C08.indd 171 29/06/2010 09:53

M08_BLUN7323_01_SE_C08.indd 172 29/06/2010 09:53
9
Stress tests and scenarios
Introduction
What are they and what’s the difference between them?
Why use scenarios?
Problems with scenarios …
… and how to do them better
Governance
Developing a set of practical scenarios
Preparing for the extreme event
Typical problems following scenario development
The near death experience
Applying scenarios to operational risk management data
Summary
173
M09_BLUN7323_01_SE_C09.indd 173 29/06/2010 09:53

Introduction
Stress testing and scenario analysis are essential tools for a firm’s planning and
operational risk management processes. They are rooted in the firm’s busi-
ness and strategic objectives and should form part of the process of identifying
those objectives. They alert the firm’s management to adverse unexpected
outcomes, beyond those which have been identified in risk and control assess-
ments or modelling, and supplement other operational risk management
approaches and measures. Stress tests and scenarios are not forecasts of what
is likely to happen; they are deliberately designed to provide severe, but
plausible, possible outcomes. They are necessarily forward-looking and there-
fore involve an element of judgement. Finally, they are invaluable during
periods of expansion, by providing a useful basis for decisions when none is
available from other sources.
Stress testing and scenario analysis interact with the three fundamental
processes of operational risk (see Figure 9.1) and are also a natural part of mod-
elling. As we have seen, events and indicators can be used to develop scenarios,
which are then applied to risk and control assessments.
Figure 9.1 Typical operational risk framework, showing position of

stress tests and scenarios
Governance
Reporting
174
M09_BLUN7323_01_SE_C09.indd 174 29/06/2010 09:53

9 · Stress tests and scenarios
What are they and what’s the difference

between them?
A typical description of stress testing and scenario analysis is the identification
and analysis of the potential vulnerability of a firm to exceptional but plausible
events. Other descriptions mention events, or combinations of events, which
have a low probability of occurrence, but are realistic.
Stress testing is generally described as the shifting of a single parameter (often
involving a number of standard deviation movements). In an operational risk
context, this can be taken to refer to either the occurrence of a single risk, such
as internal fraud or a system failure, or to the movement of a factor which may
affect or does affect the firm as a whole, such as a significant increase in interest
rates or a significant equity market downturn.
By contrast, scenario analysis is about simultaneously moving a number of
parameters by a predetermined amount, based on statistical results, expert
knowledge and/or historically observed events.
Combining stress testing and scenario analysis Figure 9.2
Stress testing
H
is
Single factor
yp
ys
ot
al
simulation
an
he
tic
ta
da
al
ev
al
en
Re
Vulnerabilities
s
io
H
ar
is
to
en
ric
sc
Multi-factor
al
al
sc
tic
simulation
en
he
a
ot
rio
yp
s
Scenario testing
In reality, firms use both approaches in order to ensure a comprehensive an-

alysis (see Figure 9.2). For the sake of brevity, the term scenario will be used
in this chapter to cover both stress testing and scenario analysis. As has been
shown, stress testing is simply a special case of scenario analysis, in which only
one parameter changes.
175
M09_BLUN7323_01_SE_C09.indd 175 29/06/2010 09:53

Why use scenarios?

Scenarios are particularly important in operational risk because the only other
subjective and forward-looking information is available from risk and con-
trol assessments. Scenarios usefully supplement and provide challenge to the
equally subjective risk and control assessments. By having two sets of data
challenging each other, both of which have been derived subjectively, better
clarity is achieved and a firmer base is available from which to create action
plans to enhance risk management, perhaps through improving controls or
implementing further controls. Trends in key risk indicators can also be for-
ward-looking, based on actual current and past data. As such, the trends form a
useful input when creating scenarios.
Scenarios also help overcome some of the limitations of models and other
historic data described in the previous chapter. All models, including oper-
ational risk models, are constructed on the basis of a number of assumptions,
such as correlations, but which are often lost in the mists of time or enthusi-
asm, are forgotten or are simply ignored. For instance IT systems failure may
be correlated with the business continuity plan. However, if the IT system
does break down, it may turn out that there is no need to invoke the busi-
ness continuity plan. The correlation is not as certain as had been thought.
Challenging the models through extreme but plausible scenarios tends to
uncover where some of these assumptions break down when an extreme event
occurs. In addition, there is often a lack of appropriate loss data in operational
risk. Constructing hypothetical yet realistic additional data points can shed
useful light on rare events.
By giving transparency to management thinking about the firm’s exposure
to operational risk, scenarios support both internal and external communi-
cation. They can enable staff to understand more fully the board’s and senior
management’s approach to operational risk. And if they are reported in the
annual report and accounts, they can assist investors to monitor their invest-
ment and to hold the board accountable. They can also demonstrate the quality
of the firm’s risk management.
Scenarios, of course, also feed into capital and liquidity planning. They pro-
vide useful stretch and challenge to the assumptions underlying the firm’s
financial planning and enable the board and senior management to understand
better the sensitivities of the firm to its risk exposures. Similarly, indicator
thresholds and risk appetite gaps are exposed, so that management can better
identify where additional controls may be necessary or where a higher risk
appetite may be appropriate.
Finally, contingency planning (see Chapter 10, Business continuity) is
supported by scenarios through the challenge which they provide. Although
contingency planning is quite naturally about exceptional events, only a few
limited events are usually contemplated. Scenarios enable a wider variety of
176
M09_BLUN7323_01_SE_C09.indd 176 29/06/2010 09:53

situations to be considered for which contingency planning may be a valuable

and practical solution.
Despite all the above points, scenarios should not be considered as the sal-
vation to all risk management weaknesses and problems. They are an important
tool in the operational risk manager’s tool kit, but only one amongst a number.
Problems with scenarios . . .

The financial crisis of 2007/9, the kind of event for which scenarios might have
been thought to have been designed, exposed a number of issues. This was partly
because, with few exceptions, there is no agreed scenario methodology. One
exception is Lloyd’s of London, which publishes realistic disaster scenarios to
establish a common basis for estimating underwriting risk to a 99.5% degree of
confidence and has also published examples of operational risk scenarios.1
Too short a timeframe

After the financial crisis, it emerged that a number of scenarios used by firms
related to relatively normal events such as might happen every 1 in 10 or 1
in 20 years. This is probably unsurprising, since it is much easier to focus on
events of which you are aware or which may occur within a career lifetime.
This is known as availability bias and is considered later in this chapter.
Another flaw was to assume that scenarios have short durations, affecting no
more than, say, one quarter’s earnings. Whilst this may be true of a relatively
benign scenario, it is highly unlikely to be true of an extreme scenario.
Outcomes too modest

Another issue is that scenarios often do not produce sufficiently large enough
loss numbers. They usually produce large numbers, but availability bias – the
experience of those devising and running the scenarios – means that they often
fail to produce sufficiently large ones. Before the attack on the World Trade
Center in September 2001, it would generally have been thought that a fall in
equities of 40% could not have occurred at the same time as interest rates fall-
ing to a 50-year low, let alone happening at the same time as two world-class
buildings being destroyed. But they did. Indeed, it is reported that six months
before the attack the CIA had rejected the scenario of the twin towers being
destroyed, let alone the other events occurring. As we have said before, sce-
narios demand a fertile imagination.
Another reason for the failure to accept sufficiently extreme outcomes is that
they may suffer from motivational bias – the wish not to contemplate seriously
adverse outcomes. Or very large outcomes are not believed to be credible by
177
M09_BLUN7323_01_SE_C09.indd 177 29/06/2010 09:53

the business. This is, of course, easily managed by involving senior manage-
ment in their development.
In the experience of the authors, whilst scenarios generally do produce large
loss numbers they can also, counter-intuitively, produce relatively small num-
bers. This happens when certain controls are assumed to have failed during a
scenario, but more vital and key controls are given fuller and more compre-
hensive attention (see the worked example later in this chapter). This may well
lead to a lower than expected level of loss, if the key controls are then assumed
to operate at their most effective and efficient level.
Not involving the business

Scenarios often tend to be performed as a mainly isolated exercise by risk man-
agement, in the misguided belief that senior management is too busy and will
not be interested in them. Even in firms where scenarios are used as part of
the firm’s normal management process, they are frequently undertaken within
business lines and are not part of an overarching programme covering the
whole firm.
If scenarios are linked to the business objectives of the firm, through for
example the risk and control assessment, senior management often willingly
gets involved in them, because the scenarios can help them understand the
sensitivities to what are often their personal objectives set during their per-
formance appraisals.
Mechanical, point-in-time
Scenarios have also often been conducted as a mechanical and point-of-time
exercise, with little thought for the reaction of the board or senior manage-
ment to the unfolding scenario. In reality, as scenarios unfold, management
takes action over a period of time (which could be as long as 18 months) to
mitigate the effect of the scenario on the firm. This point is often overlooked.
Additionally, a mechanical and point-of-time approach does not tend to take
account of changing business conditions or incorporate qualitative judgements
from different areas of the firm.
Failure to re-assess historic data

Firms which use historical events for scenario development and generation
assume that very little change is required to the details of the historical event
in order to forecast future risks. The rapid downward and upward equity
market movements of 2008 and 2009 are a good illustration that the move-
ments of the 1920s and 1930s, which were thought to be an overly extreme
base against which to test scenario assumptions, required updating for the very
178
M09_BLUN7323_01_SE_C09.indd 178 29/06/2010 09:53

different communication capabilities and investor skills and practices which

exist in the world today.
Reputation risk ignored

Finally, many firms did not consider or capture reputational risk.
This is despite the fact that many scenarios will inevitably contain a
significant amount of reputational damage and that loss of reputation can be life-
threatening (see Chapter 15, Reputation risk).
. . . and how to do them better

Scenarios should be reviewed frequently so that they can be adapted to chang-
ing market and economic conditions, as well as the changing risk profile of
the firm. As new products, especially complex ones, are launched, the scenarios
should be reviewed in order to identify potential risks and to incorporate the
new products within the scenarios. The new products may even require ad-
ditional scenarios to be developed, for example if a new product is launched in
a country in which the firm has not previously operated.
The identification of risks which correlate, for example supply risk and
production risk, or equity risk and interest rate risk, should be enhanced and
how those risks aggregate should be considered. In addition, correlations
between risks are often underestimated. It is either forgotten or ignored that
correlations frequently break down under stress, and that different, probably
unforeseen, correlations emerge.
Feedback effects across industries or markets, whether positive or negative,
should also be considered, as should appropriate time horizons, rather than
simply looking at the one-off effect of a scenario. For instance, the failure of
Lehman Brothers, which could have been treated simply as the failure of a major
counterparty, led to a significant feedback effect across the liquidity markets.
Governance
As with any operational risk methodology or procedure, it is vital to ensure
that the governance relating to the methodology is documented and under-
stood. Good governance will enable the board and senior management to guide
and direct the operational risk scenario strategy and to review its effectiveness.
From a practical perspective, this will involve setting the scenario objectives;
defining the scenarios; discussing and promoting the discussion of the results
of the scenarios; assessing potential actions and making clear decisions based
on the results; fostering internal debate on the results of the stress tests and
scenarios programme as a whole; and challenging prior assumptions such as cost,
179
M09_BLUN7323_01_SE_C09.indd 179 29/06/2010 09:53

risk and speed for raising new capital or hedging/selling positions. All of these
governance points may be taken up by the board in its meetings or may be dele-
gated to a board scenarios sub-committee which reports back to the full board.
An example of scenario governance came in a paper from the Basel
Committee in May 2009. The headline principles are shown in the box below.
Although they were written for banks, they apply equally to any industry.
Example Principles for sound stress-testing and scenario governance

Stress-testing should:
1. form an integral part of governance
2. promote risk identification and control
3. take account of views from across the firm
4. have written policies and procedures
5. have a robust infrastructure which is also sufficiently flexible to be
capable of being speedily re-run as circumstances are rapidly changing
6. regularly maintain and update the scenarios framework and regularly
and independently assess the effectiveness of the scenarios programme
7. cover a range of risks/business areas, including firm-wide
8. cover a range of scenarios
9. feature a range of severities, including ones which could challenge the
viability of the bank
10. take account of simultaneous pressures in different markets
11. systematically challenge the effectiveness of risk mitigation techniques
12. explicitly cover complex and bespoke products
13. cover pipeline (supply) and warehousing (product) risks
14. capture the effect of reputational risk
15. consider highly leveraged counterparties and the firm’s vulnerability
to them.
Source: Basel Committee, Principles for sound stress-testing and supervision, May 2009
On the face of it, principles 13 and 15 can be said to be not applicable to oper-
ational risk. However it is easily arguable that pipeline and warehousing risks
and the firm’s vulnerability to highly leveraged counterparties include a sig-
nificant element of operational risk and therefore should be included in any
operational risk exposure review such as scenarios.
Operational risk scenarios should enable a firm to understand the sensitiv-
ities of all of the elements of the firm’s operational risk exposure, as set out in
the operational risk framework we have described in this book. This includes:
180
M09_BLUN7323_01_SE_C09.indd 180 29/06/2010 09:53

OO clarifying interactions and causal relationships between the risks

and controls
OO acting as a challenge to the subjective nature of risk and control
assessments
OO compensating for the lack of internal loss data
OO allowing adjustments to the likelihood and impact assumptions in risk
assessments
OO allowing adjustments to the design and performance assumptions in con-
trol assessments.
Developing a set of practical scenarios
Using news stories

The key to good scenarios is imagination. Perhaps the ‘unknown unknowns’
are not really so unknown, but simply reflect a lack of imagination in people’s
thinking. So the first thing is to be imaginative. With that in mind, a good
place to start when developing a set of practical scenarios is to look at recent
news stories.
These may be events with no obvious link to a particular firm or to your
industry so they should enable a more diverse and innovative way of thinking.
An example of using news stories concerned a wind farm which was proposed
near a military airforce base. At first glance this should not be a problem.
However, the military objected on the grounds that the turbines would inter-
fere with its radar. Clearly during the feasibility study for the wind farm, this
outcome had not been considered. When developing scenarios you need to con-
sider the wider impact on others.
Another example is the significant earthquake experienced by the UK in
2008. It was the biggest in the UK for nearly 25 years. This brought into
focus the fact that the UK has suffered a number of earthquakes (albeit only
moderate to significant) and is situated at the boundaries of minor plates. Even
moderate to significant earthquakes can cause damage, in particular to sensi-
tive electronic equipment. However, it is very unusual for UK firms to include
an earthquake within their scenarios.
The crisis management team

When management focuses on a major event, there is a loss of focus on
other controls so that the firm is much more likely to experience another
major event. A typical mitigant is the firm’s crisis management team,
which should preferably exclude the CEO, and allow essential business line
181
M09_BLUN7323_01_SE_C09.indd 181 29/06/2010 09:53

management to continue focusing on the business, confident in the knowl-

edge that other members of the senior management team are sorting out
the crisis.
Combinations of events over a period of time

When developing a set of scenarios it is important to consider more than
one major event happening over the period of the scenario. Scenarios do not
involve a combination of events at one point of time, but should be gener-
ated on the much more realistic assumption that one major event may be
followed by another within a matter of months. Indeed, a survey of S&P
500 firms some years ago showed that five out of six firms which suffer one
major event suffer another one within 12 months.
Recognising and mitigating natural biases

In a very helpful working paper2 published in September 2007, the Australian
Prudential Regulation Authority (APRA) notes that there are conscious or
subconscious discrepancies between a participant’s response when developing a
scenario and an accurate description of their underlying knowledge. There are
many biases, but they probably resolve themselves down to two generic types:
OO availability bias
OO motivational bias.
Availability bias refers to the ease or otherwise with which relevant infor-
mation is recalled. A sub-set of it is overconfidence bias, where undue weight
is given to a very small set of perceived events. Interestingly, it can be over-
come by using two other forms of availability bias, partition dependence
and anchoring. Partition dependence arises when respondents’ responses are
affected by the choices they are asked to make, or the buckets into which their
answers have to be put. Anchoring is the bias towards information presented in
background materials to survey questions or within the questions themselves.
The APRA paper gives an example of this in a question about the population
of Turkey. One group is asked:
1. Is the population of Turkey greater than 30 million?
2. What is the population of Turkey?
The other group is asked:
1. Is the population of Turkey greater than 100 million?
2. What is the population of Turkey?
182
M09_BLUN7323_01_SE_C09.indd 182 29/06/2010 09:53

The answer is around 70 million, but the first group will give answers near to
30 million and the second will give answers near to 100 million. Try it at your
next party and amaze your guests!
The use of external loss data can help in inspiring scenarios which might
otherwise have been overlooked and can therefore mitigate availability bias.
However, availability bias can also affect the frequency assessments. The like-
lihood or frequency of an event may be overstated if the relevant event has
occurred recently or if it has been personal experience. Conversely, the likeli-
hood may be underestimated if the event has not been previously experienced.
For example, someone who has previously been involved in a fire is more likely
to overestimate the risk of a fire. On the other hand, firms often significantly
underestimate the frequency of internal fraud since relatively few internal
frauds are actually detected. It is therefore important to bear in mind availabil-
ity bias and, if necessary, adjust for it, especially when using external loss data.
Taking in this data may give a false sense of having covered most eventualities.
Motivational bias arises when a participant has an interest in influenc-
ing the result. It can lead to the understatement of frequency and impact, the
understatement of the effectiveness of controls, and the understatement of the
uncertainty surrounding the assessment made. It is very common, for example,
for control owners to overstate the efficiency and effectiveness of the controls
for which they are responsible. When a control assessment is presented to the
risk owner and business line manager, a very different view of the capability
of the controls mitigating that risk often emerges. There is also, of course, an
incentive to understate potential losses in order to reduce the capital required
to run the business line or the firm; or simply to provide a rosier view of the
riskiness of the business line to the firm. Making scenarios subject to peer
review, in addition to the formal challenge process carried out by risk manage-
ment, is a good way to reduce the influence of motivational bias.
The influences of these biases can be seen in likelihood assessments.
Estimates for likelihood can be particularly difficult when considering rare
events. It is, for instance, difficult to distinguish between a 1 in 1000 chance
in one year for the event, and a 1 in 10,000 chance. Both events are beyond
most people’s comprehension. Availability bias is almost inevitable in these
circumstances, particularly when using external likelihood data, of which there
will be relatively little. Examples of how likelihood and impact can be assessed
are shown in Tables 9.1 and 9.2.
Impact assessments of scenarios are also prone to problems as most people
find it difficult to think in terms of probability distributions. Ideally, several
impact values for the scenario will be helpful at specified percentiles along the
distribution. This is known as the percentile approach.
From a practical perspective, the assessment quantile for the scenario is
likely to be agreed as the 95th, 99th, 99.9th or ‘worst case’ (which is often sub-
sequently defined as one of the extreme quantiles). This will give one impact
183
M09_BLUN7323_01_SE_C09.indd 183 29/06/2010 09:53

Table 9.1 Alternative likelihood terms and possible weaknesses

Labels Low Med-low Med-high High Subjective;
judgemental
Phrases/` Impossible Possible Probable Very likely
categories
Odds 1:100 1:30 1:10 1:2 Spurious
accuracy
Percentages 1% 3.3% 10% 50%
Decimals 0.01 0.033 0.10 0.50
Chance 1 in 100 1 in 30 1 in 10 1 in 2
Ranges <1% 1–5% 5–15% 50% or Artificial; may
greater not reflect the
true range
Source: Adapted from Information Paper: Applying a Structured Approach to Operational Risk Scenario Analysis in
Australia, APRA, copyright Commonwealth of Australia, reproduced by permission.
Table 9.2 Alternative impact terms and possible weaknesses

Labels Low Med-low Med-high High Subjective;
Phrases/ Negligible Minor Moderate Severe judgemental
categories
Values £20,000 £100,000 £500,000 £2,000,000 Spurious
accuracy
Ranges < £50,000 £50,000– £250,000– £1,000,000– Artificial; may
£250,000 £1,000,000 £5,000,000 not reflect the
true range
estimate, say £5m, linked with a single likelihood of occurrence, say 1 in 100
chance, and is known as the individual approach. However, the single value
estimate it produces can introduce a spurious accuracy.
An alternative but more difficult approach is the interval approach, which
consists of frequency estimates for a series of distinct impact ranges. This is
conceptually similar to a risk and control assessment approach, although obvi-
ously different in detail.
Other points to consider before developing scenarios

Assumptions
Scenarios will be used in conjunction with the other techniques used by the
firm such as risk and control assessments, forecasting and strategic analysis,
resource allocation and business planning. As a result, the assumptions which
form the base case for the scenarios should be consistent with the assumptions
in the other techniques and should broadly reflect events envisaged in the
long-term plans made by the firm.
184
M09_BLUN7323_01_SE_C09.indd 184 29/06/2010 09:53

Environment
Scenarios should also take account of the broader business environment.
Political, financial/economic, social, technological, environmental and legal
factors will inevitably affect the scenarios over the period they cover. The
scenarios should be challenged by each of these factors to ensure they have been
fully incorporated.
Historic or hypothetical data

Scenarios can be developed using either historical real data or hypothetical
data. When using historical data, care must be taken to reflect changes to the
internal and external environment within which the scenario is planned. A
good starting point is to use the factors mentioned in the paragraph above.
When using a hypothetical approach, care must be taken to devise a scenario
which is sufficiently extreme but still plausible. Either way, the scenarios must
be consistent with the firm’s risk and control profile as there is no value in ana-
lysing stresses which will not apply to the firm.
Using risk and control assessments

The scenarios above are a helpful starting point for developing relevant
scenarios for financial services firms. But it is equally possible to develop sce-
narios by considering the key risks to the firm and assuming that several of the
key risks occur either simultaneously or within appropriate timescales. This
has the advantage of clearly being relevant to the firm, as the key risks have
already been identified through risk and control assessment. However, this
method of development, if used as the only method, has the disadvantage that
extreme risks not identified during the assessment will not be used. Ideally,
scenarios should be developed independently of the risk and control assessment
and then challenged back to it.
Random words
At the other end of the scenario development spectrum lies the random word
methodology. Using random words is a surprisingly powerful way of gener-
ating scenarios. It consists of taking a number of scenario related words or
phrases which may apply to the firm (such as fire, flood, utility failure, out-
sourcer failure, money laundering, internal fraud, terrorist attack) and choosing
two or three at random. A scenario is then constructed around the chosen
words or phrases which is relevant to the firm. It can be surprising how ran-
domly chosen words are a powerful and imaginative way to construct credible
and relevant scenarios.
185
M09_BLUN7323_01_SE_C09.indd 185 29/06/2010 09:53

Using industry information

Scenarios obviously need to be tailored to your particular business activity, but
generic, yet relevant, operational risk scenarios can be found in industry-based
information. We have already mentioned the Lloyd’s scenarios. Another ex-
ample comes from the Basel Committee’s 2008 Loss Data Collection Exercise
for operational risk, published in July 2009.3 A number of scenarios from a
wide cross-section of banks were analysed. Typical scenarios used were:
OO embezzlement
OO fraudulent transfer of funds
OO loan fraud
OO occupational accident
OO employment discrimination
OO regulatory breach
OO IT system failure.
These were used by a wide variety of business lines within the banks
concerned. As a comparison, the most common scenarios used by retail
banks were:
OO cyber crime
OO cheque fraud
OO theft of information/data
OO regulatory breach
OO mis-selling practices.
The retail banking scenarios are clearly more focused on a particular line of
business, whilst the broader, more general, scenarios are just that.
Common scenario outcomes

However the scenarios are generated, a number of common themes emerge
in the outcomes. These are often:
OO failure of the firm to meet its objectives (whether these are profit, market
share, staff retention or some other objective)
OO funding difficulties
OO exposure to fraud
OO inability to maintain business volume
OO lack of building access
OO impact on ratings
186
M09_BLUN7323_01_SE_C09.indd 186 29/06/2010 09:53

OO reputational damage
OO adverse environmental impact
OO supply chain disruption
OO major competitor win.
Although any one scenario can be used to test a risk profile, it will really form
a stress test on one parameter. To produce a more extreme tested profile, a
number of the scenarios should be considered as occurring together or over a
reasonable timescale.
Preparing for the extreme event

Once common themes have been identified, a firm can prepare itself by
adopting a variety of defensive approaches. Many of these are good risk man-
agement and should already exist. However, scenarios test risk assessments
and risk appetite and it is vital that the defensive approaches are also tested.
These defensive approaches should be in place and used during normal times so
that they are part of the normal way of doing business. They will be essential
during a period of stress.
Strong risk culture

A strong corporate culture of business risk awareness is an important part
of risk governance. It is particularly important in times of stress and market
extremes. In their report in March 2008 on the financial market problems of
late 2007,4 the Senior Supervisors Group noted that firms which performed
better not only had good risk management structures but also a culture that
gave risk management views appropriate weight at the highest levels.
Integrated risk management

The benefits of an integrated risk management approach also come to the fore
during times of stress. Whilst it is always helpful for senior management and
the board to be aware of the firm’s overall risk profile, it is particularly impor-
tant when the firm is suffering extreme events. Linking together market risk,
credit risk, liquidity risk and operational risk in a scenario will enable a firm to
be more effective in its defensive manoeuvrings.
Informed decision making

An emphasis on informed management decision making and good infor-
mation flow is almost too obvious to state. However, particularly during times
187
M09_BLUN7323_01_SE_C09.indd 187 29/06/2010 09:53

of stress, decisions can be made ‘on the hoof’ and without full information. If a
culture of informed decision making and robust communication up and down
the firm is embedded in everyday business practices, it is more likely to con-
tinue during times of stress.
Risk appetite
Knowing and understanding the firm’s risk appetite and its thresholds may
also help the firm reduce the impact of a stress event. Although it is very likely
that the firm’s risk appetite will be exceeded during a period of stress, there is
more likely to be a defined escalation procedure and understanding of the sen-
sitivities of the firm’s risk profile if consideration is given to the risk appetite.
If a firm does have a developed risk appetite, it is more likely that it will
have a full set of risk and control assessments and a realistic view of the risk
and control profile of the firm. Challenges to the assessments and the result-
ing profile need to be made during normal times for this particular defensive
approach to be valuable. If such challenges form a routine part of the firm’s
governance, the resulting information is much more likely to have the confi-
dence of senior management and therefore to be used in a period of stress.
Business process improvement

Continuous business process improvement can also be an effective defen-
sive structure to protect the firm against difficult times. A corporate mindset
which is flexible is essential at such times. By continuously seeking to chal-
lenge the firm’s business processes, its control environment will have been
subject to significant testing and should therefore be in good shape.
Typical problems following scenario development
Balancing effort and understanding

Scenarios should be kept as far as possible at the strategic level. They should
only be as detailed as they need to be. Scenarios which go down to the nth
degree of detail require much more analysis of risks and controls in order to
generate meaningful results and a tested risk profile. Similarly, a scenario
may touch on a wide variety of events and also therefore require considerable
analysis. Either way significant effort is required to provide a suitable level
of analysis for an extreme (although plausible) event. On the other hand, a
scenario must be developed in sufficient detail that it can be seen to be directly
relevant and appropriate for the firm. A two-word scenario, ‘internal fraud’, is
neither useful nor helpful. The answer is to maintain a balance between effort
and understanding.
188
M09_BLUN7323_01_SE_C09.indd 188 29/06/2010 09:53

Rejection of the technique

If too much detail is available, it is much easier to find ambiguities and irrel-
evancies in the scenario. This leads to a rejection of the overall technique. It is,
of course, important to focus on the principle that various extreme but plaus-
ible events should be analysed in order to determine the sensitivity of the firm’s
risk profile to those events. Don’t let that principle be swamped in the detail.
Paralysis
Sometimes the scenario result is so awful that the conclusion is drawn that
little can be done to prepare for it. Even in the event of the scenario showing
that the firm would be liquidated, action can always be taken, including draw-
ing up a ‘living will’, similar to the recent proposals for internationally active
banks discussed in the next section.
The near death experience
Reverse stress tests

Reverse stress tests were previously known as testing to destruction. They
start with a known outcome, for instance that the current business model of
the firm is no longer viable, rather than a normal scenario for which the out-
come is unknown at the start. The scenarios most likely to cause the failure
of the firm are then reviewed. It should be borne in mind, incidentally, that
a firm’s business-as-usual model can fail before its regulatory capital or its
liquidity provisions have been breached. This will probably be because there
is a complete lack of confidence in the marketplace about the firm. As with
normal scenarios, senior management should be involved in the design of the
reverse stress test and in the actions which the firm decides are appropriate as
responses to the reverse stress tests.
‘Living wills’
Reverse stress tests look at the stage shortly before collapse. ‘Living wills’ are
designed to be activated when that point has been reached and will be trig-
gered when certain pre-defined events occur or criteria are met. The ‘living
will’ will specify in some detail how the firm will downsize and completely
restructure its business; allow itself to be acquired or its business to be trans-
ferred; or wind itself down in an orderly fashion over a relatively short period
of time. As well as specifying the detail of how the ‘living will’ works, it is
equally important to decide on realistic trigger(s) for activating it. If a trigger
point is not realistic, there is the danger that the point will be reached, and
189
M09_BLUN7323_01_SE_C09.indd 189 29/06/2010 09:53

management will refuse to acknowledge reality and hope that something may
turn up. The trigger should be fixed at the point where the ‘living will’ cannot
be aborted.
Applying scenarios to operational

risk management data
There are two main approaches to applying scenarios to operational risk man-
agement data. These are:
OO a deterministic approach, which uses a simple and straightforward
approach although it is sometimes difficult to relate to reality. It is far
less rigorous and relies on assumptions to a much greater extent
OO a probabilistic approach, which uses a statistical methodology for model-
ling risks and controls although is sometimes difficult to understand due
to the underlying complex mathematics.
Deterministic approach
This takes the scenarios which have been developed and tests the relevant risk
and control assessment with the scenario outcomes. The testing is carried out
through the analysis of which controls have failed for the scenario to occur and
therefore which risks have happened and what is the impact of those risks.
Useful guidance is given in terms of the size of the likely impacts through
the impact ranges which were developed during the risk and control assess-
ment process. These impact ranges, though, should be considered as guidance
only and should not be slavishly adhered to. For example, some controls which
mitigate a particular risk may still exist and be operable during a scenario
and therefore the impact may be significantly less than is given by the risk’s
impact range. However, the upper value of the range should only be exceeded
after significant debate, as this will have already been considered and discussed
during the risk and control assessments.
Having assessed the impacts of the risk events which occur during a
scenario, it is possible to calculate (through simple addition) the extra impact
of the scenario on the firm’s risk profile. Action can then be taken in terms of
a cost–benefit analysis of the controls which were affected by the scenario. This
is combined with a review of the firm’s risk appetite in order to determine
whether or not control enhancement is required. Additionally, the application
of the scenario and tests may uncover controls which were previously thought
to be adequate and which now require action.
190
M09_BLUN7323_01_SE_C09.indd 190 29/06/2010 09:53

Probabilistic approach
This approach transforms qualitative and subjective risk assessment to mon-
etary values through probabilistic modelling. It uses the same initial step as
the deterministic approach, that is the existing risk and control assessment is
tested with the scenario outcomes in order to determine which controls have
failed. The revised, scenario-adjusted risk and control assessment is then sub-
jected to risk event occurrence through control failure simulation, as we saw in
Chapter 8, Obtaining business benefits from qualitative modelling.
The advantages of this approach are:
OO a more focused cost–benefit analysis of controls, as the monetary reduc-
tion of the risk profile is explicit
OO a clearer view of risk appetite, again as the monetary value of risks and
controls is explicit
OO the ability to see the monetary impact of the scenario at different explicit
confidence levels, rather than simply at one (unarticulated and implicit)
level as in the deterministic approach
OO the sensitivities of different risks are more apparent as their monetary
values are available at different confidence levels
OO analyses from different risk perspectives following the scenario (such as
the risk owner, the risk category, the top residual risk and the worst and
best performing controls) can be more easily extracted
OO access to different confidence levels allows reverse stress testing to be
better understood as any scenario can be extended to a level at which the
firm is no longer viable.
A worked example
A firm develops a scenario which involves internal fraud (due to an employee
having gambling debts) occurring at the same time as IT system failure. The
firm’s current risk and control assessment contains, inter alia, the risks, con-
trols and assessments shown in Figure 9.3.
The first step is to review the controls and identify those which are assumed
to have failed for the purposes of the scenario, as the firm is then exposed to
the risks which were mitigated by the failed controls. These are identified in
Figure 9.3:
OO criminal background check, which did not identify the fraudster
OO training and mentoring schemes, which have not identified that the
employee was at risk
OO business/strategic planning, which has failed to provide enough focus on
an appropriate IT system
191
M09_BLUN7323_01_SE_C09.indd 191 29/06/2010 09:53

Figure 9.3 Extract from current risk and control assessment

ID Risks I L Controls D P
Failure to attract, recruit and retain key staff Criminal background check 3 2
Salary surveys 2 2
1 4 4
Training and mentoring schemes 3 2
Retention packages for key staff 4 4
Inadequate or insufficient IT infrastucture Business/strategic planning 3 4
to achieve business objectives
12 2 4 IT system performance and capability monitoring 4 3
Manual workarounds 2 2
Failure to sense and eliminate internal fraud Criminal background check 3 2
Segregation of duties 2 3
16 3 2 Training and mentoring schemes 3 2
Fraud monitoring 4 4
Whistle blowing 3 3
Impact scales: Frequency scales:

1: £0 to £250,000 1: Less than one occurrence in 10 years
2: £250,000 to £1,000,000 2: Every 10 years to every 3 years
3: £1,000,000 to £5,000,000 3: Every 3 years to once per year
4: £5,000,000 to £20,000,000 4: More than once per year
OO IT system performance and capacity monitoring, which has not detected

that the system was about to fail
OO segregation of duties, which has failed to prevent fraud
OO staff training, which has also failed to prevent fraud.
Consideration is then given to improving these controls to ensure that the
firm’s operational risk exposure is maintained within its risk appetite.
Fraud monitoring is a detective control and will not prevent this risk from
occurring, but it will detect it when it does occur. For the sake of complete-
ness, the controls which are unaffected by the scenario, although they are still
relevant to the risks that have occurred, are salary surveys, retention packages
for key staff, manual workarounds and whistleblowing.
The deterministic approach

The deterministic approach involves simply estimating the average loss for
each risk using the RCA data. For the scenario above, we have three risks
which occur:
1. Failure to attract, recruit and retain key staff (Staff)
12. Inadequate or insufficient IT infrastructure to achieve business objec-
tives (IT)
16. Failure to detect and eliminate internal fraud (Fraud).
192
M09_BLUN7323_01_SE_C09.indd 192 29/06/2010 09:53

Extract from risk and control assessment, showing failed controls and subsequent Figure 9.4
improved controls with new assessment scores
ID Risks I L Controls D P Fail Improve D P
Failure to attract, recruit and retain key staff Criminal background check 3 2 Yes Yes 3 4
Salary surveys 2 2 Yes 2 3
1 4 4
Training and mentoring schemes 3 2 Yes Yes 3 3
Retention packages for key staff 4 4 4 4
Inadequate or insufficient IT infrastucture Business/strategic planning 3 4 Yes 3 4
to achieve business objectives
12 2 4 IT system performance and capability monitoring 4 3 Yes Yes 4 4
Manual workarounds 2 2 2 2
Failure to sense and eliminate internal fraud Criminal background check 4 4 Yes Yes 3 4
Segregation of duties 2 3 Yes 2 3
16 3 2 Training and mentoring schemes 3 2 Yes Yes 3 4
Fraud monitoring 4 4 4 4
Whistle blowing 3 3 3 3
These are scored 4, 2 and 3 respectively for impact. We now assume that all
the controls have worked as previously scored in the baseline RCA, but that
the controls named on the previous page have failed in the scenario.
The methodology for calculating the baseline, scenario and adjusted baseline
risk and control assessments is as follows:
Step 1 Start with the original baseline risk and control assessment and derive a gross loss
figure, i.e. before the interaction of controls
The gross loss figure is simply given by mid-point of the range or the maxi-
mum impact for each risk which occurs in the scenario. (The mid-point can
be considered to be the deterministic equivalent of the 50th centile; the maxi-
mum impact can be considered to be the worst case, i.e. either the 95th centile
or the 99.9th centile.)
In this case we have three risks, listed above, with impacts in bands 4, 2
and 3. We can assume that with no controls these will be at the mid-point or
at the top of their respective bands, therefore the gross impact for the scenario
will be equal to the mid-point or to the maximum of band 4 plus the equiva-
lents of bands 2 and 3.
As you can see from the impact scale above, the mid-points give £(12.5m +
0.625m + 3m) or £16.125m and the maximum for band 4 is £20m, for band 2
is £1m and for band 3 is £5m, giving a total maximum gross loss of £26m.
Step 2 Calculate the strength of the control environment

We can assume that a full strength control environment will fully mitigate the
risk, i.e. reduce the net risk to zero. So, if a risk is fully mitigated, the impact
amount will be £0m.
The control environment strength is found by the proportion of the con-
trol effectiveness score as a fraction of the maximum potential. Using the
example above, in which controls are scored on a 1 to 4 basis for Design and
Performance, the maximum possible score for a control is 16 (4 × 4).
193
M09_BLUN7323_01_SE_C09.indd 193 29/06/2010 09:53

To find the effectiveness score, we multiply the design and performance

scores together, sum them and then divide by the maximum, which would be
16 × [number of controls]. Working through Risk 1, at the baseline level we
have four controls scored 3–2, 2–2, 3–2 and 4–4 for design and performance.
Multiplying and summing the pairs gives 6 + 4 + 6 + 16 = 32. The maximum
potential score is 4 × 16 = 64. Therefore the effectiveness score is 32/64 = 0.5.
For Risk 12 the score is 0.583 and for Risk 16 the score is 0.5375.
Step 3 Use control effectiveness to calculate a net loss

The gross loss is positioned at the mid-point or the top of the relevant impact
range, and a fully mitigated risk will have a net loss of zero. It follows that if a
risk is fully mitigated its controls are scored at the maximum, and if the con-
trols have an average of 50% effectiveness this will mitigate 50% of the impact
(either at the mid-point or at the top of the range).
Applying this to Risk 1 again, we have a gross loss of £12.5m or £20m,
a control effectiveness score of 50% and therefore a net impact of £6.25m
or £10m.
Mathematically this is expressed as:
Net impact = Gross impact – [control factor × Gross impact]
Substituting the relevant numbers for Risk 1 gives:

Net maximum impact (Risk 1)
= £20m – [( 3 × 2 + 2 × 2 + 3 × 2 + 4 × 4 )/( 4 × 16 )] × £20m = £10m
Or
Net mid-point impact (Risk 1)
= £12.5m – [( 3 × 2 + 2 × 2 + 3 × 2 + 4 × 4 )/( 4 × 16 )] × £12.5m = £6.25m
So we have values for the maximum and mid-point gross and net losses from
Risk 1 in the scenario. We now duplicate this method with Risks 12 and 16,
to find that in this case
= £1m – [( 3 × 4 + 4 × 3 + 2 × 2 )/( 3 × 16 )] × £1m = £417k
and
= £5m – [( 3 × 2 + 2 × 3 + 3 × 2 + 4 × 4 + 3 × 3 )/( 5 × 16 )] × £5m = £2.313m
The mid-points are similarly calculated.
Step 4 Deriving a total value for the net baseline risk and control assessment
The net impact of this scenario at the baseline level is therefore found by
summing the net components of all the relevant risks, in the maximum case
194
M09_BLUN7323_01_SE_C09.indd 194 29/06/2010 09:53

£10.000m + £417k + £2.312m = £12.729m. In the mid-point case £6.250m

+ £260k + £1.387m = £7.897m.
Step 5 Assessing control failures for the scenario risk and control assessment
The first thing to do is analyse the scenario to work out which controls have
failed in order to allow this scenario to occur. In this case and as shown in
Figure 9.3, we have assessed that seven of the 12 controls over the three rel-
evant risks have failed. This judgement is subjective so you must consider
which aspects of the risk and controls are relevant. Any control which is either
not relevant or could not allow the scenario to occur if working correctly must
be assumed not to be mitigating the scenario or to have failed.
The scenario gross loss is the same as the baseline gross loss, as the risk
assessment should not change between the two, only the control assessment
(which affects only the net loss).
Step 6 Calculate the new control effectiveness factor

Now we must calculate the new effectiveness factor after certain controls have
failed. Any control failing has a contribution of zero to the effectiveness. So, revis-
iting Risk 1 and its four controls, if we thought that the first and third controls
failed but the second and fourth worked in this scenario, we discount the scores
for 1 and 3 (though they are still counted in the maximum potential). Therefore
the new effectiveness score is ( 0 + 4 + 0 + 16 )/( 4 × 16 ) = 20 / 64 = 0.3125.
We must now calculate the net loss for the scenario using the same method
as in the baseline and the new effectiveness score. In this case, the new net
maximum loss for Risk 1 is
£20m – ( 0.3125 × £20m ) = £13.750m
We then calculate the same for the other risk components of the scenario and,
as before, sum them to find a total net loss.
Step 7 The adjusted baseline scenario

The scenario has indicated where our control weaknesses lie, and as a result
we can make some direct improvements to the weaker controls. After doing
this, we reassess the control scores (as shown in Figure 9.3) and compute the
adjusted baseline score using these new control scores.
A summary of these values is as follows:
Baseline result £m Scenario result £m Adjusted baseline

result £m
Gross Net Gross Net Gross Net
Maximum 26.000 12.700 26.000 18.100 26.000 8.500
Mid-point 16.125 7.900 16.125 11.200 16.125 5.200
195
M09_BLUN7323_01_SE_C09.indd 195 29/06/2010 09:53

The probabilistic approach

As noted above, we can probabilistically model the scenario using a Monte
Carlo simulation engine. This takes the risk and control assessment data along
with the assigned distributions for impact and frequency, and uses the Monte
Carlo method to derive a value for each impact at differing confidence levels.
Using the same data as used for the deterministic approach above, the follow-
ing results are obtained:
Baseline result £m Scenario result £m Adjusted baseline

result £m
Gross Net Gross Net Gross Net
50% 13.400 0 13.400 13.200 13.400 0
confidence
level
95% 16.900 5.100 16.900 16.600 16.900 1.800
confidence
level
99.9% 22.200 10.600 22.200 21.700 22.200 9.200
confidence
level
It can be seen that the maximum deterministic values are at a similar level to
the modelled 99.9% confidence level.
Summary
Scenarios are all about imagination and not being afraid to think the unthink-
able. Indeed, they are totally concerned with the unthinkable. They are not a
mathematical exercise but a practical one, aimed at identifying events or, more
precisely, combinations of events which could threaten a firm’s objectives and
even its existence. As a practical exercise, they are the glue which binds the
other elements of the framework together and test whether the operational risk
framework is robust and fit for purpose. However they do contemplate threats
to the existence of the firm. If those threats appear, the immediate remedy is a
well thought out and fully tested business continuity plan, which we shall con-
sider in the next chapter.
Notes
1 www.lloyds.com.
2 Australian Prudential Regulation Authority, Applying a structured approach to operational
risk scenario analysis in Australia, September 2007; www.apra.gov.au.
3 www.bis.org/publ/bcbs160.htm.
4 Senior Supervisors Group, Observations on Risk Management Practices during the Recent
Market Turbulence, March 2008; www.financialstabilityboard.org.
196
M09_BLUN7323_01_SE_C09.indd 196 29/06/2010 09:53

Part
mitigation and
4
assurance
10. Business continuity

11. Insurance
12. Internal audit
M10_BLUN7323_01_SE_C10.indd 197 29/06/2010 09:53

M10_BLUN7323_01_SE_C10.indd 198 29/06/2010 09:53
10
Business continuity
Introduction
Business continuity and risk management
Policy and governance
Business impact analysis
Threat and risk assessment
The business continuity strategy and plan
Testing the plan
Maintenance and continuous improvement
199
M10_BLUN7323_01_SE_C10.indd 199 29/06/2010 09:53

Part 4 · Mitigation and assurance
Introduction
It is a fact of life that ‘stuff happens’. Dealing with it is much of what oper-
ational risk management is all about. Many operational risks can be managed
and mitigated down to acceptable levels, as this book has shown. Some things,
however, cannot be prevented. The best we can do is to have in place contin-
gency plans which will mitigate the effects as best we can.
To that extent operational risk is rather like politics. When Harold
Macmillan, British Prime Minister from 1957 to 1963, was asked by a journal-
ist what was most likely to blow a government off course, he famously replied,
‘Events, dear boy, events.’ Business continuity is about coping with the unfore-
seen events, some of them apparently undramatic, which nevertheless threaten
a business’s survival. Attitudes such as ‘It won’t happen to us’, ‘We will cope –
we always do’, ‘We’re not a terrorist target’ are unrealistic and, from a business
point of view, life-threatening.
After an event, firms fall into two categories – ‘recoverers’ and ‘non-
recoverers’. Research regularly shows that firms which successfully deal
with a crisis see their share value increase. Similarly, firms which invest and
budget most on risk, business continuity and governance are the most profit-
able in their sector. Business continuity planning is an investment not a cost.1
Another survey has shown that 80% of businesses which do not have a business
continuity plan close within 18 months of a major incident.2
Many people questioned the huge amounts of money and resource which
went into coping with the potential disaster of the Millennium Bug (Y2K).
The effort and investment repaid itself many times over when the planes hit
the twin towers of the World Trade Center, New York on 11 September 2001.
The enormous amount of work which had gone into cleaning up the spaghetti
of systems which firms were running, understanding infrastructure depen-
dencies and developing and testing comprehensive business continuity plans,
prevented the 9/11 attack from being much more disastrous. Despite the tragic
and horrendous loss of life and disruption, it was business as usual after a brief
four days, including a weekend. Perhaps business continuity’s finest hour.
In his foreword, as Director-General, to a CBI publication on business con-
tinuity, Digby Jones (later Lord Jones of Birmingham) wrote: ‘A reliance on
piecemeal procedures adopted and adapted over time will not suffice. Business
availability is a strategic issue which covers the whole organisation and as such
requires a comprehensive solution.’3 If the business isn’t available, there is no
business. Strategic issues don’t come more critical than that.
200
M10_BLUN7323_01_SE_C10.indd 200 29/06/2010 09:53

10 · Business continuity
Business continuity and risk management

Business continuity is obviously a vital part of overall risk management.
However, Table 10.1 shows the differences between risk and business conti-
nuity management and also what gives business continuity its particular flavour.
Differences between risk management and business continuity management Table 10.1
Risk management Business continuity
Key method Risk analysis Business impact assessment
Key parameters Impact and probability Impact and time
Type of incident All types of events – though Events causing significant
usually segmented disruption
Size of events All sizes/costs – though Strategy deals with survival-
usually segmented threatening incidents, but can
be applied to any size
Scope Focus mainly on management Focus mainly on incident
of risks to core business management, generally
objectives outside the core
competencies of the business
Intensity All, from gradual to sudden Generally sudden or rapid
events, though a creeping
incident may become severe
Source: The Business Continuity Institute, Good Practice Guidelines 2008, Section 1, p.7
Business continuity deals with the management of incidents which will cause
significant disruption to the business. It deals with low likelihood events but
is mainly dealing with their impact. The impact of an incident, as well as
recovery from it, is measured primarily by time so that disruption to customers
and suppliers is kept to a minimum and business as usual is restored as quickly
as possible. To ensure that happens, firms need to develop and test business
continuity plans, working their way through the business continuity lifecycle.
In practical terms this means:
OO Policy and governance
OO Business impact analysis
OO Threat and risk assessment
OO The business continuity strategy and plan
OO Testing the plans
OO Maintenance and continuous improvement
all of which we shall look at in the rest of this chapter.
201
M10_BLUN7323_01_SE_C10.indd 201 29/06/2010 09:53

Policy and governance

Policy and governance form the cornerstone of business continuity manage-
ment. Without the right governance arrangements, the best plans in the world
are useless.
Policy statement
The policy statement is the benchmark against which all business continuity
activity should be continually checked. Since confusion is often the major ob-
stacle to an effective response to an operational disruption, the policy statement
should clearly set out the level of business continuity the firm sets out to achieve.
It should include:
OO the firm’s operational framework for business continuity management
OO board-level sponsorship
OO the roles and responsibilities of senior management and others, includ-
ing the crisis management team or teams

OO authorities to act
OO business continuity steering committee (which oversees the develop-
ment and implementation of the business continuity methodology and

procedures)
OO the firm’s business continuity principles and priorities (e.g. staff welfare
and key customer services)
OO business critical activities, their resource needs and their time-criticality
OO minimum standards for planning documentation, recovery times, service
disruption, etc.
Ideally, the key points should be capable of being summarised on a sheet of
A4 paper which can be distributed to everyone. This clear statement of the
firm’s priorities following an incident, with enough indication of recovery
expectations, will provide a framework and context for the rest of business con-
tinuity activity.
Keep it brief – and achievable. Unrealistic policy statements such as ‘zero
downtime’ render the whole document meaningless. What is a realistic recov-
ery time? Which activities genuinely need to be prioritised? What are the
short-term workarounds?
Governance
Business continuity is not an IT issue. Like operational risk, it concerns the
whole business and threats to its existence. It therefore needs to be owned by
202
M10_BLUN7323_01_SE_C10.indd 202 29/06/2010 09:53

all parts of the firm, with a central point of accountability on the board. That
director will sponsor the ‘project’ and be responsible for ensuring that adequate
plans are in place and are regularly tested and reviewed.
Developing, reviewing and invoking the business continuity plan will
involve a steering committee which should be chaired by the board sponsor.
This should include senior stakeholders from business, risk, IT and other sup-
port management. Joining the group should mean a serious time commitment.
Apart from the time which is needed to develop a business continuity plan,
which is rarely trivial, members should be prepared to meet regularly during
the development and implementation phases of the project.
Both the plan and any testing of it should be independently reviewed and
audited, perhaps by the internal or external auditor. Whoever does it, reports
should go to the board, who are ultimately accountable for the project and,
more importantly, for business availability.
Business impact analysis

The business impact analysis provides the basis from which business conti-
nuity strategies and plans can be developed. It is the point in the process
where recovery priorities are established, together with the minimum resources
needed to maintain their availability.
The business impact analysis looks at the impact of given events on business
activities over time. With business continuity, ‘If in doubt, prepare for the worst’.
It should therefore look at worst case scenarios, such as where a department or
service line is completely stopped. This will identify the realistic, as well as
essential, recovery time objective – the time by which critical systems and busi-
ness processes must be up and running after the occurrence of an incident.
Understanding what we do and how we do it

The first step in the business impact analysis is to establish what activities the
firm carries out and how, including how the various activities work together.
The information gathered should include as a minimum:
OO a complete list of products or services
OO critical processes which support the most important products/services
(with time-critical details)
OO key staff who support the critical processes
OO key systems (including Excel spreadsheets and Word documents), paper
records and equipment which support the critical processes
OO reliance on internal departments or external suppliers to carry out the
critical processes
203
M10_BLUN7323_01_SE_C10.indd 203 29/06/2010 09:53

OO reliance on specific premises to carry out critical processes

OO key customers and stakeholders who would be affected by the loss of
products/services.
A key element of the data gathering process is to identify interdependencies,
not just within the firm but without it as well. Terrorist attacks such as 9/11
or the London bombings in 2005, and the global financial crisis, have high-
lighted systemic risks and dependencies on common infrastructure utilities
and systems.
This phase is a good time also to gather other details such as call trees (essen-
tial people networks to spread information) and existing recovery arrangements.
What is business critical?

The test of criticality is what value is lost over time. For some activities, value
lost will increase, perhaps exponentially, as time goes by. For others, the
impact may not be felt until perhaps a week later.
It can be difficult to assess costs over time. One way is to use financial tar-
gets or budgets and divide the relevant weekly or monthly target into agreed
time periods – hourly, daily, etc. In doing this, remember to split out rev-
enue expected from existing and new business. New business is likely to be
lost during a disruption.
Finally, don’t forget indirect costs such as regulatory fines or client and
intermediary compensation. Added together with direct losses, they will give
an estimate of the worst case financial impact – over time.
At this point you should have identified your business critical activities,
recovery priorities and the resources needed to maintain them, itemised over
time – now, day 1, 2–6 days, week 1, 2, 3 and so on.
The next step is to think about what might happen and the effect on the
business critical activities.
Threat and risk assessment
Threats
Before they actually happen, incidents are threats. The risk lies in the likeli-
hood of their becoming incidents and the potential impact if they do.
The incidents which are likely to trigger invocation of the plan are often exter-
nal threats or causes and largely outside your control. Where controls can make a
difference, the incident is likely to happen when those controls have failed.
Each organisation will need to determine the threats which it believes have
both sufficient impact and are likely to occur at some point as to be worth
considering. The list needs to be reviewed regularly to check the current
204
M10_BLUN7323_01_SE_C10.indd 204 29/06/2010 09:53

assessment of likelihood and to add newly identified threats. For example,

only a few years ago only a handful of organisations in the US or EU would
have been worried about infectious diseases or pandemics as a business conti-
nuity event. Then came SARS in 2003, avian flu (the H5N1 virus) in 2004
and H1N1 flu (swine flu) in 2009 so that pandemics have risen to the top of
everybody’s list of threats.
Impact assessment
Essentially, the method of assessment is the same as that used for building
and evaluating scenarios in the previous chapter, with the proviso that, with
business continuity, time is the critical measure of impact – how long will an
interruption have to last to be intolerable, if not catastrophic?
In risk assessment terms, the threats should be at the extreme end of the
spectrum in the low-likelihood, very-high-impact section, as measured against
a firm’s risk appetite. If the likelihood of a high (residual or net) impact event
occurring is considered to be greater than ‘low’ then it is not a suitable case for
business continuity. It needs to be dealt with now by a review of controls and
probably the introduction of new ones to reduce both its likelihood (if pos-
sible) and its impact.
Response triggers
When a threat turns into an incident, it will generate a response. The business
continuity plan formulates those responses. Response triggers usually come
down to half a dozen or so, that are typically variations on loss of premises, staff,
equipment, systems, a production line, key suppliers or outsourced activity.
One of the lessons of the London bombings in July 2005 was that the firms
which were able to respond best had concentrated their business recovery on
impacts and decision making, rather than the nature of a disruption and its
possible causes. As a result, following a more generic-based approach, they had
the flexibility to respond to a broad range of potential scenarios. The key point
about scenarios is not to get into too much detail with them. As with much of
business continuity planning – keep it simple.
Threats should be continually reassessed and reviewed. Whenever a new
threat is identified, it should be checked against existing response triggers. If
necessary, a new one can be added. The importance of each trigger is a mix of
the results of the business impact assessment and the sum of the likelihood of
the threats associated with it.
205
M10_BLUN7323_01_SE_C10.indd 205 29/06/2010 09:53

The business continuity strategy and plan
How to choose the best response

Having identified the incidents which will trigger a business continuity
response, it is time to look at how to identify the best one, which will then
form the basis for the business continuity strategy.
Business continuity is a firm-wide project. In addition, many people will
probably have their own ideas about suitable recovery strategies. It is therefore
best to undertake this phase by way of workshops, or a similar approach which
ensures that all the ramifications of a strategy are understood and that you have
buy-in from everybody concerned.
Gathering everybody together will also help to ensure that strategies and
countermeasures do not conflict, so that the solution for one part of the busi-
ness does not create a new issue for another part of the business or expose it to
unmeasured risk.
Two tips:
OO Make sure everybody understands the primary objectives – what needs to
be achieved must be fully understood. Be pragmatic.
OO The biggest risk is generated by doing things differently. Stick as closely
as possible to normal practice.
Once you have agreed your approach and got everybody together, the next step
is to list the response options that are currently available and then consider for
each trigger which ones are suitable, and whether there is a risk of failure of
the countermeasures you may wish to use.
In thinking about the options it is important to consider whether each one
– people, place or systems – will be available, given a particular trigger. That’s
where you need to think about threats. A bomb or transport strike may not
just make your building unusable, but also your alternative site.
It is probably helpful to consider the options under headings, such as those
in the example box below:
OO business activity levels
OO staffing
OO locations
OO communications
OO infrastructure – power
OO infrastructure – data and systems
OO infrastructure – utilities.
The box provides examples of the kind of questions you need to ask when
assessing the options.
206
M10_BLUN7323_01_SE_C10.indd 206 29/06/2010 09:53

Example
Thinking about the response options
Business activity levels
What levels of business activity are acceptable, for what periods of time? Use
a series of levels starting with ‘business as usual’, through one or more ‘emer-
gency levels’ down to ‘no business’.
Staffing
Business continuity critically involves human issues (including families of
staff). In considering your strategy, always remember that human safety is
paramount.
Will there be sufficient staffing in the event of a pandemic, when significant
numbers may be quarantined? Would there be sufficient staff in the event of
no transport or very limited communications, such as mobile phones? Are suf-
ficient staff trained to carry out critical functions?
The SARS pandemic and 9/11 have emphasised the importance of planning
on the basis of there being no people available in a location. Are succession
plans adequate?
Locations
What alternative locations are there? These could range from a mirrored site
for immediate use with minimum downtime to working from home. For
most, it will probably involve relocating to a different site, often a syndicated
site. If you have chosen syndicated back-up facilities, will they be available for
all the people who might need them in the event of a ‘wide-area’ event? How
many times has each seat been contracted out in the event of an emergency?
How does the provider assess priorities?
For each kind of alternative site the important thing is for it to be outside
the risk zone of the primary site, and with separate sources of critical supplies
of telecommunications, power and water.
Communications
Another lesson from major, wide-area incidents such as 9/11 is that mobile
phone networks cannot handle the concentrated traffic. That means consider-
ing the whole range of alternatives: digital and analogue land line telephones,
mobile phones (with a reserve of spare batteries), satellite phones, websites, etc.
Where can phone lines be diverted to? What other switchboard/reception
facilities could be used? Importantly, how will you communicate with staff
away from the main site – whether at the alternative site or at home?
And, probably more importantly, how will the crisis management team
keep themselves up to date? It became apparent at the time of the London
bombings in 2005 that the best news of what was happening was coming from
satellite news channels. However, crisis management teams were in locations
without access to them, so that at times staff at the front desk were better
informed than they were.
207
M10_BLUN7323_01_SE_C10.indd 207 29/06/2010 09:53

Infrastructure – power
Will there be sufficient backup power? That problem was highlighted during
the major power grid failures in the NE United States and eastern Canada in
2003. The American Stock Exchange appeared to have sufficient backup elec-
trical power. However, the utility provided steam power which worked the
air conditioning system which began to fail as a result of the general lack of
electrical power, by which time there was insufficient time to relocate to an
alternative site. In the end, a backup steam generation boiler was installed,
with the loss of nearly a day’s trading.
Infrastructure – data and systems
How will we ensure systems and up-to-date data will be in place and avail-
able for use? What backup data centres exist? Which systems have fallbacks in
remote sites? Which systems have backups offsite? How often are the backups
sent offsite?
Infrastructure - utilities
In the event of an incident will we be able to rely on utilities such as power,
transport and telecommunications? Are there alternatives? If we depend on
them, have we tested the availability of supporting infrastructure such as clear-
ing or money transmission facilities, whether we’re a bank or not?
Choosing the strategy

The results of the exercise should enable you to identify a preferred strategy for
each response trigger and assess the effectiveness both of the strategies and of
the controls you have in place for mitigating an incident.
It should also highlight any gaps (i.e. where there is no recovery strategy for
a response trigger) and those strategies which are inadequate. From this you
can identify the priority action areas where you need to focus attention.
Budget and business case

Having identified the preferred strategy you are ready to write the plan. Before
you do that, though, you need to obtain a budget. Just because your strategy
has a clear relationship with the underlying business risks does not guarantee
there is a good business case to justify it. You need to cross-check back to the
value that the particular business area brings to the overall organisation, and
then calculate how much it would cost to deliver the proposed business conti-
nuity strategy – including filling any gaps you have identified.
208
M10_BLUN7323_01_SE_C10.indd 208 29/06/2010 09:53

From strategy to plan

The ‘strategy’ segment is the key thinking point in the business continuity
lifecycle. The planning stage is the practical ‘how to’ phase that follows.
The best way to develop the plan is to sit down with staff and walk through
the various activities, asking ‘why?’ as well as ‘how?’ When the plan is
invoked, it is quite possible that different people will have to put it into action
from those you speak to at this stage. However, if you’ve asked the simple
questions you will end up with a plan which is relatively jargon-free and easy
to implement when it’s needed.
Take time over this so that you and your interlocutors have gone through
everything in detail. The aim must be to get it right first time. There is always
the chance that an incident will occur and the plan will have to be invoked
before it has been fully tested and reviewed.
Documenting the plan

As a minimum, the plan will detail:
OO background and scope
OO primary objectives and priorities
OO members of the various crisis management teams (assuming there are
different ones for different generic crises)
OO arrangements for testing, training and awareness
OO assumptions – at a plan level: these will change over time and must be
constantly reviewed to ensure the plan continues to protect the right
aspects of the business
OO recovery sites
OO comprehensive emergency communication protocols and procedures –
internally; externally with market/industry; regulatory or other statutory
authorities; utilities; security; the public and other stakeholders.
And, of course, the recovery procedures which will ensure continuing business
availability as soon as possible. For each of these you will need:
OO a detailed description of the recovery procedures
OO an individual owner who is responsible for implementation
OO a trigger for invocation
OO an authority level for invocation (e.g. board, CEO, Head of IT)
OO assumptions – at an activity level, so that any changes to these can be
easily identified during subsequent reviews and appropriate action taken.
209
M10_BLUN7323_01_SE_C10.indd 209 29/06/2010 09:53

One word about the crisis management team before we move on to documen-
tation. They are the people who will have management responsibility when the
plan is invoked or tested. The team will have representatives from all relevant
functions, depending on the type of incident impact being considered. As was
pointed out in the previous chapter, unless the firm is so small that it is unavoid-
able, it should not have the CEO as a member. In the event of a crisis, the CEO
continues to run the business. The crisis management team runs the crisis.
However you document – Word file, Blackberry or sophisticated software
tool – make sure that it is manageable and readily accessible for all those who
will need it. Not everybody needs the whole plan. Work on a ‘need to know’
basis and plan at all levels, from enterprise-wide to individual departments, so
that staff have what they need at their level. There is no definitive list of the
types of information which a department may find useful during a crisis, but
remember that the more that is included, the more work will be needed to
keep it up to date.
When a department has an alternative location to relocate to, it can usu-
ally store whatever it may need there in the way of specialised equipment and
paper documentation. This is often referred to as a contingency box (or battle-
box). A list of its contents, together with the last time they were checked or
updated is a vital part of the plan.
Testing the plan
Why test?
As the military often say, no plan survives contact with the enemy. Having
said that, thorough planning and training will give you a better chance of suc-
ceeding and your business surviving and being available as soon as possible for
business as usual.
As a result of the Hanshin-Awaji earthquake which struck Kobe and Osaka
in January 1995, Japan, including its financial system, spent considerable
effort refining business continuity plans in the light of the lessons learnt from
the earthquake. When the Niiagata Chuetsu earthquake, 6.8 on the Richter
scale, struck the Chuetsu region in October 2004, there was minimal disrup-
tion to financial services, despite the considerable structural damage. Frequent
lightning strikes in the region had also led to resilient plans to cope with loss
of telecommunications, power, water and transport.
Rather than endure an emergency, it is essential to test the plan – or exer-
cise it, as business continuity professionals prefer to say, echoing the military
– and learn the lessons. The point of a test is to practise and to learn. The more
you test, the more you can continuously improve.
It is often said that a business continuity plan is like a fire extinguisher –
it sits inert, possibly for years, but must be there and working when needed.
210
M10_BLUN7323_01_SE_C10.indd 210 29/06/2010 09:53

And as a plan must work under all circumstances, not just ideal ones which, by
definition, will not exist at the time, it needs to be tested as fully as possible –
to the limit in critical areas.
Testing what, and how often?

Fundamentally, it’s up to you. You can do the classical annual event, working
the crisis management team, relocating staff to the recovery site and making
sure systems and backups work within a reasonable timeframe, keeping your
fingers crossed that staff successfully make their way to the site and can log in
to the systems. Not great, but the bare minimum. Alternatively, you can iden-
tify specific needs and run one of a number of tests, depending on how far you
wish to go. These can range from a desktop walk-through, to a simple call tree
or notification test, through the relocation test just mentioned, and on to:
OO a backup and restoration test – the process and timeframe for backing up
data and restoring it onto contingency servers
OO a connectivity test – reconnecting sites after a tele- or data failure
OO a full technology restoration test,
and all the way to a
OO full enterprise-wide test in which a firm relocates to its recovery site for
one or two days carrying out business as usual.
You should also seriously consider testing with critical industry participants,
as well as local authorities, utilities and other organisations on which your
business may depend. It’s the only way of finding out whether your plan will
in fact work, since it will inevitably be dependent on these organisations.
The choice is yours, but whatever you choose, the key will be good
planning.
Planning the test

The key to planning the test is to understand the objectives of the test, which
in turn will determine its extent. Before you try something too ambitious, it’s
worth asking if the firm is ready for the level of the planned exercise, or if you
should be building up to it in more gradual test steps. And one final check on
your ambition – how disruptive will the test be? Will it be sufficiently practi-
cal and achievable and not endanger the organisation?
Once you’ve agreed the objectives and scope of the exercise, it’s time to
establish:
OO a date
OO who will be involved
211
M10_BLUN7323_01_SE_C10.indd 211 29/06/2010 09:53

OO that your test will be based on a plan which is up to date

OO that facilities will be available
OO a system of independent review and evaluation before, during and after
the test.
The review before the test could be vital in ensuring that all dependencies have
been allowed for.
Finally, build in sufficient contingency time to restore systems back to the
real-world environment after the test is concluded. This is often under-estimated
so that there is real disruption to business-as-usual, which is not the point of the
exercise and simply brings the business continuity effort into disrepute.
The test
The idea is to validate a process and identify weaknesses or errors in the plan.
It’s a learning experience.
The key to a good test – and a good plan – is documentation. Good docu-
mentation should be kept before, during and after the test to form a basis for
reviews and for the next test.
During the test, have an independent observer (or more than one, depending
on the scale of the test and resources available) to provide objective feedback
on how the test works, including the effectiveness of communication between
staff, the crisis team and others – and to note where things went well.
After the test

If possible, grab staff before they slip away from the test to get their initial
feedback on things which went well and things which didn’t, whilst they’re
still fresh in the mind. You will probably organise more formal feedback by
way of questionnaire or interview. The key is getting the feedback and then
analysing it.
OO Were the test objectives met?
OO Was the test completed on time?
OO Did the test participants and resources perform as expected?
OO Was the testing approach considered appropriate?
OO Which parts of the plan were inadequate or out of date?
The lessons learned from testing must be applied to the plan and steps agreed
to remedy any deficiencies. At the same time, the assumptions on which the
plan was based should be reviewed in the light of the test results, including
assumptions made about external dependencies. It may mean that the business
continuity strategy has to be re-evaluated or even changed. That’s why we test.
212
M10_BLUN7323_01_SE_C10.indd 212 29/06/2010 09:53

And keep the report readily available for next time. Otherwise, all those
valuable lessons will be lost and the next exercise will just repeat the mistakes
of the past.
Maintenance and continuous improvement

Testing is a practical way to review the plan and the assumptions on which it
is based. But all risks, assumptions and critical recovery requirements should
be regularly reviewed to ensure that they are up to date and appropriate for
changing business circumstances. Such reviews are key components of the
planning timetable.
Another element which ensures the firm will be prepared for any eventual-
ity is training. It is essential to ensure that staff are familiar with the plan.
Training, in addition to testing, is an effective way of ensuring cooperation
between recovery team members. It needs to be reviewed, because staff fre-
quently change, as do intra-business relationships.
In the end, it will all be down to communication (which training is
designed to enhance) and documentation, without which the whole exercise
will be undertaken in an atmosphere of ignorant bliss. Documentation at every
stage means that lessons can be learnt and that the process will be capable of
being audited and properly reviewed by business line management.
So the final tips are:
Communicate, communicate, communicate
Document, document, document
and
Keep it simple.
The simpler it is, the easier it will be to follow in a crisis and the sooner busi-
ness availability will be restored.
Notes
1 See www.thebci.org, and references to research by Knight and Pretty of Oxford Metrics
relating to recoverers and non-recoverers.
2 Source, Coventry City Council 2006; www.bsigroup.com.
3 Business as usual, CBI Business Guide (London: Caspian Publishing), 2002.
213
M10_BLUN7323_01_SE_C10.indd 213 29/06/2010 09:53

M10_BLUN7323_01_SE_C10.indd 214 29/06/2010 09:53
11
Insurance
Operational risk and insurance

Insurance speaks to cause
Buying insurance
The insurance carrier
Alternative risk transfer mechanisms
Conclusion
215
M11_BLUN7323_01_SE_C11.indd 215 29/06/2010 09:53

Operational risk and insurance

For some operational risks it’s simple – or at least fairly simple. There’s a fire,
you put in a claim, you get the money. The same happens with a burglary, or
if an employee is critically ill. Subject to appropriate proof, the insurer pays
under the policy. For many operational risks, however, it might be fairer to say
that paying the insurance policy premium is akin to taking out an option on a
court case, a view policy-holders have been holding since at least 1384. Here is
a letter written by Francesco di Marco Datini, merchant of Prato, to his wife,
‘For when they insure, it is sweet to them to take the monies; but when
disaster comes it is otherwise and each man draws his rump back, and
strives not to pay.’1
And, of course, some operational risks are simply uninsurable, either because
it is illegal, impossible or morally hazardous to insure the particular risk, or
because of the financial limits of insurance available. In fact, it has been esti-
mated that when allowance is made for uninsurable risks and the levels of
deductibles and limits in insurance policies, only 30% of operational risks in
financial services are probably eligible to be insured. However, even at 30%, it
is the most direct way of mitigating operational risk losses and, if approached
properly, a cost-effective way of reducing risk exposure.
It can also mitigate reputation risk when, for instance, there has been a
major robbery. And insurers can bring their claims expertise to reducing an
operational risk loss. But essentially insurance acts as an operational risk trans-
fer mechanism – to the insurer – at a price.
Insurance speaks to cause

Insurance is a contract of fortuity. In other words, it depends on something
happening which is not foreseen and over which the insured ostensibly has no
control, such as the examples at the beginning of this chapter. If it were the
same as a guarantee it would simply respond to the event having occurred and
pay. It is not like a guarantee because whether an insurance policy will respond
goes back to cause.
In Chapter 1 we talked about the chain of causality:
Cause Event Effect
In the context of operational risk and insurance this translates into:
216
M11_BLUN7323_01_SE_C11.indd 216 29/06/2010 09:53

11 · Insurance
Cause Event Effect
Operational
Insurance Claim/
risk event
trigger loss
or peril
Operational risk often (perhaps too often) concerns itself with identifying and
measuring events. Insurance is also triggered by an event, but it then looks to
why the event occurred. A fire policy will pay for the damage caused by a fire,
but not if it is shown that the cause was arson on the part of the policyholder;
or if a sprinkler system on which the insurance was conditional had not been
installed. Insurance will pay for a theft, but possibly not if the alarm system
had knowingly been allowed to remain inactive for a period of time, or security
controls had lapsed.
The reason why will also determine which kind of policy will respond to an
event. Take fraud, for instance. In the case of a bank, it may be covered under
a Bankers’ Blanket Bond, assuming it was caused by employee dishonesty.
Non-banks will have similar policies covering employee dishonesty. However,
if it involved computer crime by somebody outside the firm, then a special-
ist Electronic Computer Crime policy might come in to play. A Professional
Indemnity policy’s fraud extension might be relevant if a third party was
involved. And finally, in a case like Enron, it could be that the company and
non-negligent directors will seek to claim under the company’s own Directors’
& Officers’ policy. In all of these, cause is the critical issue.
Buying insurance
The insurance buyer
To buy insurance effectively you need a clear understanding of your firm’s risk
exposure and also the effectiveness of controls already in place to mitigate that
risk. Given the costs involved, the analysis required and the fact that the whole
point of insurance is to be a mitigant to the residual risks a firm faces, it is
extraordinary how very often, in firms which have a risk function, there is little
or no contact between the insurance buyer and the risk department.
Too often risk buying comes out of procurement or premises management –
presumably on the basis that it is seen as having to do with property and cars
– or at best finds itself parked (possibly with the management of the car fleet)
in the company secretary’s office. So first make sure insurance buying is either
part of the operational risk function, which is where the relevant risk reports
are being captured, or at least has close contact with it.
217
M11_BLUN7323_01_SE_C11.indd 217 29/06/2010 09:53

Buying centrally also helps to ensure that cover is consistent and not dupli-
cated. Too often insurance buying is undertaken in the silos of the various
business units, wasting resource and money and probably not getting the best
insurance coverage.
Coverage and the asymmetry of information

The next step is to understand what the insurance actually covers, by reading
the policies, and then to attempt to map that to the firm’s risk profile.
There will inevitably be exclusions to the policy. Sometimes they simply
state what would be expected good practice, such as the fire extinguisher
example mentioned earlier. Insurers assume that people will take sensible pre-
cautions to protect themselves and their property. In other cases, exclusions
clarify intent and make sure that a risk (or peril) is placed in the right kind of
policy. In the Enron case, should the claim go against a crime or liability class
of policy? The policy makes sure there is no confusion.
In the case of emerging risks, such as cyber terrorism or terrorism generally,
they could affect a number of classes of insurance and render historic pricing
models obsolete. Similar considerations apply to historic operational risk data
which can become less relevant or degrade if the internal or external risk and
control environment changes. When new risks emerge, insurers often intro-
duce an exclusion initially from the standard policies, but then design a new
product specifically to deal with the risk, which is what has happened in the
case of terrorism.
However, insurers have learnt painfully over the years about the times when
the risk–reward ratio goes against them across the cycle and why. Premiums
are as much market driven as risk driven. Price is not entirely elastic, so in-
surers’ real protection, especially if market rates are soft, is to restrict coverage.
Risk-pricing depends on information. In the case of an insurance buyer and
seller, the asymmetry of information is hugely biased in favour of the buyer.
Insurers will often rely primarily on fairly simple parameters such as number of
employees, size of assets and where they are based, as well as splits by business
type. And of course on historical claims data, where at least they have industry-
wide experience to go on. Surprisingly, they often do not ask for details of risk
and audit assessments or of losses which fall below the level of the deductible in
a policy, the amount which the policy-holder has to bear. Having said that, the
intelligent insurance buyer will provide operational risk information which will
encourage insurers to improve their offer. There should be a dialogue, so that each
side understands where the other is coming from and gets the best deal it can.
So the good risk manager should be armed with detailed information with
which to assess the value of the insurance offered. Historical data and/or mod-
elling should point to a reasonable level of deductible, especially for attritional
losses which are effectively ‘the cost of doing business’. In the same way, using
218
M11_BLUN7323_01_SE_C11.indd 218 29/06/2010 09:53

11 · Insurance
historic data and resulting estimates of severity, the risk manager should be
able to work out a suitable limit or cap to the amount of cover he or she wishes
to buy. Figure 11.1 shows this in diagrammatic form.
Using the loss distribution curve for insurance buying: lognormal curve showing Figure 11.1
insurance portion
Deductible Insured limit

Frequency
Expected Catastrophe Severity

Insured
Mapping
In order to evaluate whether it is worth buying insurance, you must first assess
how far it covers the risks you have identified. That’s not too difficult where
the class of insurance maps neatly onto your loss event type, such as with fire
and property damage. But that’s a minority of operational loss events.
With operational risk, a number of causes can lead to a particular type of
loss event and a particular cause can trigger a number of different types of loss
event. In the same way, as we saw above with the internal fraud example, dif-
ferent types of policy will respond to a particular loss event, depending on the
cause, and a particular class of policy may respond to a range of loss events.
The Bankers’ Blanket Bond, which is essentially a crime policy, will cover
fraud and theft, for instance, two major classes of operational risk. But other
policies such as Electronic Computer Crime, Directors’ and Officers’ liability
and Professional Indemnity policies may also respond. Similarly, with theft
from banks, the Bankers’ Blanket Bond covers theft of physical property such
as computers, cash or artwork, but does not cover theft of intellectual prop-
erty. For that, again depending on cause, you may have to turn to a Fidelity
Guarantee policy (covering your own loss) or a Professional Indemnity policy if
a third party has suffered loss and the firm was unaware of the theft.
Where simple direct mapping from a risk category such as fire is not
possible to help assess the value of insurance, the best answer is to use scenarios
(see Chapter 9, Stress tests and scenarios). That is what the insurance industry
219
M11_BLUN7323_01_SE_C11.indd 219 29/06/2010 09:53

does, not only to understand its own underwriting risk exposure, but also to
evaluate its operational risk, as was noted in Chapter 9. If you use scenarios to
assess your operational risk exposure, use them to test your insurance cover-
age. Whether you are assessing insurance or operational risk exposures, a severe
enough scenario is generally produced by considering a number of serious
events happening over an appropriate time. In assessing insurance coverage, an
appropriate time could be the 12-month term of most insurance policies.
Evaluating the cost

The first thing to remember is that a non-life insurance policy has no intrinsic
value. Policies taken out by different firms may have the same monetary limits,
but the value of the policy to each insured will be different. It will depend
on the precise wording of the policy, the deductibles, exclusions and, most
importantly, an individual firm’s risk profile. Each policy is different and each
insured has a different risk profile.
Evaluating the scenarios will lead to an estimate of loss which can then be
matched against the relevant coverage and insurance premiums being offered.
By tweaking deductibles, limits and exclusions, from the information you have
and the assumptions you make in modelling your scenarios, you can find out
how that would affect premiums.
After that, it is a question of comparing the cost of capital to support the
relevant operational risk against the premium you are being asked to pay. If
the operational risk capital multiplied by the internal cost of capital is greater
than the premium asked, it sounds like you have a good deal. In many ways,
the sums should add up because the basis of insurance is to spread the risk and
so be able to charge a competitive premium. Signor Datini worked that out in
the fourteenth century and so gathered his merchant colleagues into a form of
mutual insurance. And, of course, the same principle applied to those who met
in Edward Lloyd’s coffee house in the City of London in the seventeenth cen-
tury. By pooling their risks, they were able to spread the cost.
This is perhaps the point to remember that insurance is not about capital
replacement – at least not in the short term – even if its value can be assessed
against the cost of capital. Cause has to be established before an insurance
claim can be progressed. An event may happen in 2001 which gives rise to,
say, a claim of negligence. Whilst you will notify your insurer of the possi-
bility of a claim, it may take years before negligence is ascribed to you, the
insured. Once it is, you can go to your insurance company and provide proof
of loss. But that, too, may lead to further time being spent whilst it is deter-
mined that the specific circumstances are covered by your policy, or whether
and to what extent you may have contributed to the loss. Once everything is
agreed, the insurer will pay. But that can be years after the operational risk
event occurred.
220
M11_BLUN7323_01_SE_C11.indd 220 29/06/2010 09:53

11 · Insurance
That points also to the importance of having data which enable you to assess
the net present value of the amount which is finally paid, allowing for the time
value of money – the time between an event occurring and the amount and
timing of an insurance settlement.
Types of policy
In this connection it is worth remembering that there are broadly three types of
policy: losses occurring, claims made and losses discovered (or discovery based).
With a losses occurring policy, the loss must occur during the period
covered by the policy. These are the types of policy with which most of us are
familiar in our private lives – property, motor and so on.
With a claims made policy, the insured must notify a circumstance,
accepted by the insurer, during the term of the policy, even though the event
may have taken place before that period. Into this category fall the various lia-
bility policies such as Directors’ and Officers’ or Professional Indemnity.
With a discovery-based policy, the policy responds to an event discovered
during the policy period, again even though the event itself happened some
years before. A good example would be an Unauthorised Trading policy. As a
class of insurance it was not available until some time after the Barings case in
1995, but it would have covered the Allfirst Finance case in 2001, where the
deceptions practised by trader John Rusnak went back over four years before
they finally came to light.
Table 11.1 gives some idea of the range of policies which a firm might con-
sider buying and how the policies fit in to the three broad categories of policy.
Types of insurance cover Table 11.1

Policy coverage Type of cover
Business Interruption policy Losses occurring
Computer Crime policy Losses discovered
Commercial General Liability policy Claims made
Directors’ & Officers’ Liability policy Claims made
Employment Practices Liability policy Claims made
Key Man policy Losses occurring
Kidnap and Ransom policy Losses occurring
Motor fleet Losses occurring
Pension Trustee Liability policy Claims made
Property Insurance policy Losses occurring
Professional Indemnity (Civil Liability) policy Claims made
Terrorism policy Losses occurring
Unauthorised Trading policy Losses discovered
221
M11_BLUN7323_01_SE_C11.indd 221 29/06/2010 09:53

The insurance carrier

The capitalisation of the general insurance market world-wide is probably less
than the capitalisation of HSBC, or a similar global corporation, alone. That,
and events such as the collapse and rescue of the giant AIG in September
2008, show the importance of assessing the creditworthiness, or more specifi-
cally claims-paying ability, of the insurer.
Naturally, insurers are rated just like every other corporate, but it is a dif-
ficult decision to accept that you are paying for protection from a firm which
is less creditworthy than you are. Indeed, it makes little sense, unless the mere
transfer of risk is so attractive or the coverage is based on reducing reputation
risk, as described earlier in the chapter.
So evaluating the security of the insurer is important, whatever size of com-
pany you or they are, and it may be prudent, depending on the importance
of insurance to the firm, to have a system of credit limits in place as a check
against over-reliance on one particular insurer. Of course, one way of reducing
exposure is to take a leaf out of the insurer’s book and spread the credit risk
through co-insurance with a number of insurers. But that’s a discussion for you
and your insurance broker.
Alternative risk transfer mechanisms

Most insurance needs relating to operational risk are satisfied by the con-
ventional insurance market. However, for some risks there may be no cover
available in the conventional market, either because of the nature of the risks
or the size of cover required. Hugely increased coverage has been demanded by
industries such as energy, space or even mass air transport. New types of claim,
such as latent disease, pollution and terrorism, have emerged. Greater aware-
ness and knowledge of insurance by better informed insurance buyers has also
led to a questioning of traditional insurance methods, pricing and distribution.
As a result, a new generation of alternative risk transfer mechanisms has been
developed by both the insurance and capital markets.2
Captive insurance companies (‘captives’)

A ‘captive’ is an insurance company formed to insure or reinsure the risks of its
(generally non-insurance) parent or associated third parties. Whilst most are
wholly-owned subsidiaries which insure the risks of their parent, over 10% have
been formed by trade associations, industry bodies or specific groups of com-
panies to share their members’ risks and address their specific insurance needs.
Captives can be an efficient way of obtaining insurance cover. For a tra-
ditional insurer, up to 35% of its premium cost may have to be charged to cover
222
M11_BLUN7323_01_SE_C11.indd 222 29/06/2010 09:53

11 · Insurance
expenses whereas, for a captive, the charge can come down to 5%. This is driven
in part by the growth of captive management companies, which enable the
parent to benefit from not having to staff a fully functioning insurance company.
Other benefits of forming a captive include:
OO it may be the only way in which a parent can obtain cover for certain
risks, or at least cover at a reasonable price
OO being able to take a share of the more attractive layers of an insurance
programme
OO premiums paid to a captive, as well as its reserves, are available for
investment – until they are needed to pay for claims
OO reasonable premiums paid to a captive are tax deductible, whereas
reserves maintained to cover losses in the form of self-insurance are not
OO reinsurers may quote lower premiums to a captive due to the fact that
the parent is financially involved with its own risk: however, reinsurance
requirements can also be different from a traditional insurer, since risk
will be much less diversified
OO direct access to the reinsurance market should also mean lower premiums
since the costs have been avoided of going to the direct insurance market.
It is not uncommon for some captive structures to use a ‘fronting’ insurance
company, with the captive taking on the role of reinsurer.
Whether to use a captive or not depends on: a clear understanding of the
parent group’s risks and risk management; the true cost savings involved; and
the effect on earnings volatility of replacing the range of external insurances
with a substantial degree of self-financing, just as with self-insurance con-
sidered below.
However, for specialist needs, captives can be a more stable source of
insurance for a firm than traditional carriers – provided effective reinsurance
can be obtained.
Mutual insurance companies (‘mutuals’)

The section on captives mentioned that they were sometimes set up by indus-
try bodies to protect their members’ risks. That concept lies at the heart of
mutual insurance companies, which typically differ from captives which are
generally owned by a single entity.
Mutuals also have a long history. Examples are:
OO marine mutuals, formed by ship-owners to protect their fleets in a par-
ticular port
OO fire mutuals, formed by property-owners to protect property in a particu-
lar town or region
223
M11_BLUN7323_01_SE_C11.indd 223 29/06/2010 09:53

OO the factory mutual system, originally formed by New England mill-

owners who could not get fire insurance
OO trade mutuals formed by companies in a particular industry.
Perhaps the best known mutuals today are the marine P&I (protection and
indemnity) clubs. Protection covers liabilities relating to crew, passengers,
ports and docks. Indemnity covers cargo liability.
The advantage of mutuals is that they are non-profit making and so can
produce better returns or lower premium rates than other insurers. They may
also have specialist knowledge of the risks being underwritten, which can pro-
duce better underwriting results and secure better reinsurance cover and terms.
They are particularly useful as a concept for mitigating operational risk, since
they can enable industries to free themselves from the general market when
that market has either closed the door to them or is only offering penal rates
and conditions. The disadvantage is that members face the possibility of a call
in the event of a serious claim made by any one of them.
Capital markets
For a number of years, capital markets and insurance professionals have been
working to see if a capital market instrument could be devised which would
protect against a firm’s overall level of operational risk. If so, it could mean
that investors outside the insurance market could be brought in and so increase
capacity for protection.
Such thoughts were prompted by the success of catastrophe bonds and other
instruments. Catastrophe bonds were developed following Hurricane Andrew in
1992 which, at a cost of around US$30bn, was the most expensive hurricane in
US history, until it was surpassed by Hurricane Katrina in 2005. The market
really began in earnest in 1997 when over US$500m of bonds were issued,
rising steadily to US$2bn in 2005 and then rapidly to US$7bn in 2007.3
Catastrophe bonds are issued by an insurer or other organisation. They are
neither insurance nor reinsurance but are structured as investments. There is no
requirement for an insurable interest. They provide for normal redemption at
term, but in the event of a catastrophe within predetermined limits of geogra-
phy, type and size of loss, the investors in the bonds contribute to the loss by
forfeiting their interest and/or principal. A typical example of a qualifying event
would be an earthquake occurring of a particular size on the Richter scale and
within a certain radius of a predetermined point, such as the centre of Tokyo.
They generally relate to property damage caused by a catastrophic natural
or man-made event. They are particularly attractive to investors in the harden-
ing market which follows ‘market-changing’ events such as Hurricane Katrina
and the attacks on the World Trade Center in September 2001, so that returns
can be considerable if no further catastrophe occurs. And indeed by the end
224
M11_BLUN7323_01_SE_C11.indd 224 29/06/2010 09:53

11 · Insurance
of 2007 they accounted for 12% of US and 8% of global property insurance

limits.4 However, they tend to lose their attraction when rates soften. After
the record year of 2007, issuance has dropped to an annual figure of around US
$4–5bn.5
It is perhaps no accident that these instruments cover specific events such as
hurricanes or earthquakes in a particular geographic location, since there is a
large body of historic data to support assessment of the frequency and severity
of an event. Operational risk, however, is business-wide and, as we have shown
repeatedly in this book, is difficult to assess to the level of confidence which
could create a benchmark index which would sustain a deep and liquid capital
trading market.
There is one area, though, where firms can protect themselves against the
effects of a particular threat to their business – weather derivatives. Whilst
general insurance (and catastrophe bonds) offer protection against low
probability, catastrophic risks, firms can buy protection against higher prob-
ability weather events. Weather derivatives were first traded on the Chicago
Mercantile Exchange in 1999. They trade against an index of temperatures
over a particular period at a particular location and pay if temperatures are so
many degrees above or below the benchmark index – depending on the time of
year. Principal users are energy-related companies, but agricultural businesses
and those involved in transport and tourism are also beginning to protect
themselves against above average hot summers or cold winters.
Capital markets are extending the alternatives available for mitigating certain
operational risks, but we are still a long way from a capital market alternative to
insurance to protect against the general range of operational risks.
Self-insurance
The one alternative which is available to everybody is self-insurance – or not
buying insurance. Self-insurance is a perfectly reasonable option, provided the
risks have been fully assessed and managed. So the best form of self-insurance
is good internal controls. Self-insurance can, of course, be inadvertent – or
even deliberate, but badly thought out. For our purposes, let’s assume rational
behaviour and good operational risk management.
Insurance removes an element of financial uncertainty and replaces a
possible unknown large loss by a series of smaller known premium payments.
The rationale for self-insurance is that the cost of insurance in the form of pre-
miums is removed, as is the loss of the time value of money between paying
the premiums and receiving a claims payment. And of course the money saved
is available for investment. However, these benefits are offset by the volatility
of losses which may occur if insurable operational risk events occur.
If we return to the curve shown in Figure 11.1, it is highly likely that firms
will self-insure for the attritional losses, the cost of doing business. Where the
225
M11_BLUN7323_01_SE_C11.indd 225 29/06/2010 09:53

discussion becomes more interesting is the extent to which a firm is prepared

to self-insure as it moves along the curve.
As with the cost evaluation described above, the fundamental rationale is
to look at the cost of loss and the cost of controls which maintain losses at an
acceptable level and then consider whether the cost of insurance shows a ben-
efit. Once you get further along the curve either in relative or in absolute
terms, the debate becomes more difficult. It will depend on the confidence you
have in the firm’s ability to assess and manage its risk exposure, as well as its
risk culture and risk appetite.
In some cases, of course, a very large firm may be prepared to suffer indi-
vidual losses of, say, US$500m and find that the cost of only buying insurance
above this level is penal or even find that there is little or no market. To that
extent the market may force firms to self-insure – or spend more on controls to
offset the possible volatility in results which could follow a major loss.
Conclusion
Insurance is probably the commonest form of operational risk transfer. It is,
however, one which is not well understood. If the right person is put in charge
of buying it across the firm – somebody who knows how it works and who
works closely with operational risk management to understand the firm’s risk
profile – then it can be a hugely business beneficial exercise. However, if you
fully understand your operational risk profile and what insurance offers, you
can also make an intelligent and informed decision to self-insure, which might
be just as business beneficial.
Notes
1 Iris Origo, The Merchant of Prato (London: Jonathan Cape), 1957.
2 The section on alternative risk transfer mechanisms draws extensively on sections of
Alternative risk financing: changing the face of insurance (London: Jim Bannister Developments
Limited), 1998, written by the inestimable insurance expert, Jim Bannister.
3 Guy Carpenter, The catastrophe bond market at year-end 2007; www.guycarp.com.
4 Ibid.
5 www.thomsonreuters.com.
226
M11_BLUN7323_01_SE_C11.indd 226 29/06/2010 09:53

12
Internal audit – the third line of
defence
The three lines of defence

Internal and external audit
Internal audit and risk management oversight
The role of internal audit
Audit committees
Effective internal audit
227
M12_BLUN7323_01_SE_C12.indd 227 29/06/2010 09:53

The three lines of defence

Internal audit forms a critical part of the third of the classic three lines of
defence shown in Figure 12.1.
Figure 12.1 The three lines of defence
B O A R D
AUDIT COMMITTEE
First line of defence Second line of defence Third line of defence
Primary risk and control Oversight Independent assurance

responsibility
Business line Risk management, HR, Audit

management finance, IT, compliance
• Promotes strong risk • Develops centralised • Provides independent

culture policies and standards and objective challenge
• Sets risk appetite; • Develops risk to the levels of
creates risk definitions management assurance provided
processes and by business operations
• Owner of risk
controls and oversight
management process
• Monitors and reports • Validates processes in
• Implements controls
on risk risk management
• Day-to-day risk framework
management by risk
takers
The first line of defence, the business lines, is responsible for establishing an
appropriate risk and control environment. Establishing and maintaining a
strong risk culture, agreeing the practical application of risk appetite and risk
definitions, putting in place adequate controls and operating the risk manage-
ment framework are all part of the day-to-day responsibilities of business line
management. Good risk management is fundamental to business success and
should be aligned to business objectives. That is why its primary responsibility
rests with the business, the first line of defence.
The second line of defence involves those who provide oversight over busi-
ness processes and risks, and monitor the proper implementation of risk
management policies and the risk management framework. They provide
advice and support to the business lines on risk management; they challenge
the inputs and outputs provided by the business lines in risk measurement and
reporting; and they ensure a consistent application of risk management policies
228
M12_BLUN7323_01_SE_C12.indd 228 29/06/2010 09:53

12 · Internal audit
throughout the firm. Operating against the background of the board’s agreed
strategy and risk appetite, they are management’s assurance mechanism, pro-
viding reports to business line management and to the board. They challenge
the risk management information produced by the business lines, such as key
performance, risk and control indicators and risk and control assessments.
The third line of defence, the audit process, has two complementary parts
– internal and external audit. Internal audit provides independent assurance
to the board on the effective operation of the risk management framework
and validates the risk measurement process. External audit’s role is to give an
opinion on the financial statements. To enable it to do this, it has to assure
itself of the quality of risk governance and of controls over such things as ethi-
cal values, management style and values, and human resource policies and
practice. These factors provide the auditor with assurance that information
provided to it is likely to be transparent, rather than forming part of its assur-
ance to the board.
Independence
In order to fulfil its function, internal audit must be functionally independent
from the activities it audits. Clearly it must be independent of the business
lines. Whilst it may have a direct line to the CEO or CFO for pay or rations,
they should not be its functional reports. Nor should the head of internal audit
report to the CRO. Since internal audit is required to provide assurance on the
risk management process, reporting to the CRO presents an obvious conflict
of interest. That conflict is not resolved by dotted line reporting elsewhere.
Dotted lines, like dual lines, are a fudge. Delete them.
Assuming there is an audit committee, it should report to the chair of
that committee. If there is no audit committee, it should report to the non-
executive chairman or senior non-executive director. The point of reporting to
the non-executive directors is that internal audit must have a direct functional
line to those who are there to oversee management and to assess the firm inde-
pendently and objectively on behalf of shareholders.
The approach of an audit committee should be trust, with verification.
Internal audit provides that independent verification. Reporting to the audit
committee will protect internal audit’s organisational independence and objec-
tivity. If internal audit reports only to the CFO, or another senior executive,
its independence is immediately called into question. In this chapter we shall
assume that the function to which internal audit reports is the audit committee.
Maintaining independence is easier said than done, especially in the face
of some regulatory demands. The Sarbanes-Oxley legislation in the USA, for
229
M12_BLUN7323_01_SE_C12.indd 229 29/06/2010 09:53

instance, requires independent verification of information and for senior man-

agement sign-off. Ideally, an independent team should fulfil this function.
There is a danger that if internal audit provides the independent verification
of the information, it may be seen as effectively the ‘owner’ of the infor-
mation rather than management.1 That can present an immediate conflict with
the need for internal audit to be independent of the design, inputs and outputs
of the process and to provide appropriate assurance.
Assurance
From a risk perspective, internal auditors will normally provide assurance on:
OO risk governance and the risk management processes from board level
down, looking at their design and how well they are working
OO the management and oversight process for risks, including the effective-
ness of controls and other responses to them
OO the accuracy and reliability of the components of the risk assessment and
reporting process.
Whilst management, and especially those providing risk management oversight,
will challenge the accuracy of risk assessments provided by the business, there
needs to be an independent review to ensure the reliability and robustness of the
assessment process, including data inputs, assumptions and outputs.
There is no single method, partly because the nature of assessment processes,
especially with operational risk, is so various. Assurance concerns all aspects
of the process. It tests processes to ensure that information is complete, accu-
rate and valid. In this context, valid means that the information is genuine and
not fictitious.
A good example is the auditing of scenarios and stress tests, which we dis-
cussed in Chapter 9. Scenarios rely on judgemental and expert decisions, so
that independent review plays a key role in reviewing the process. Here are
some of the qualitative questions that could be asked about the process:
OO Were all the right people involved in the assessment?
OO Challenge by risk managers and others is an important part of the pro-
cess, but were the challenges consistent across the various scenarios?
OO Since they involve a significant degree of subjective judgement, scenarios
are notoriously open to human biases, as outlined in Chapter 9. Have
these been adequately considered and mitigated?
OO Have all the causes, events and consequences been included, and
included appropriately?
OO Has the process been adequately documented, so that it could be repli-
cated in a consistent manner?
230
M12_BLUN7323_01_SE_C12.indd 230 29/06/2010 09:53

In summary, business line management creates the scenarios and assumptions;

risk management challenges the assumptions made in the scenarios and the
outcomes; internal audit provides assurance on the process and the process by
which the assumptions are derived.
Internal and external audit

Internal and external audit share a common agenda of providing assurance to
the board that the risk and control processes are appropriate and effective. Both
should function independently of management and report to the board. But
there are differences in the roles they play.
Internal auditors are part of the organisation and, whilst they maintain their
independence, their objectives are determined by the audit committee or, in
its absence, the board. External auditors are, by definition, outside the organis-
ation. Their objectives, whilst framed and signed off by the audit committee in
their terms of engagement, are also driven partly by statutory and professional
requirements. They are answerable for their professional standards to their
professional bodies (as indeed should a good internal auditor also be) and can
be answerable also to regulators who may have outsourced investigatory work
to them.
One of the advantages of being inside the organisation is that internal audit
can sense changes in culture creeping in, for instance slackness in operating con-
trols or in recording events and losses. As the organisation’s independent eyes
and ears, internal audit can also spot breaches of the firm’s ethical standards – or
simply ethical creep – which could cause significant reputational damage.
Those are advantages which are unlikely to be enjoyed by a firm to which
internal audit has been outsourced (assuming it works much of the time out-
side the firm) and are beyond the scope of an external audit. On the other
hand, being outside the firm, the external auditor may spot conflicts or
problems which are not seen by those involved in day-to-day management,
including the internal auditor.
The external auditor also brings an outsider’s view, informed by having
seen many businesses in the same or similar industries. He or she should be
a helpful provider of best practice and advise on new developments in risk
management, corporate governance, financial accounting and controls. If the
external auditor reports only on balance sheet issues and not on how the busi-
ness is run, the firm is not getting best value.
Internal audit is continuously reviewing risk processes and controls. For
their part, the external auditor’s primary responsibility as regards risk man-
agement is to assure itself that appropriate governance standards are being
maintained to enable it to sign off the financial reports, including statements
made by the directors about risk.
231
M12_BLUN7323_01_SE_C12.indd 231 29/06/2010 09:53

And of course, the external auditors make their assessment at a point in

time rather than on a continuous basis. That assessment is fundamental to
external audit’s primary role, which is to establish whether the financial
statements represent a true and fair reflection of the financial position of the
organisation at that point in time.
The two auditors come together in two respects – their independence and
their need to work closely together. We have commented on the independence
of the internal auditor. As regards the external auditor, independence is criti-
cal. A board, or audit committee, should understand the auditor’s processes
for ensuring its independence and avoiding conflicts of interest. These may
include auditor rotation, ensuring that secondments from the auditor to the
firm do not make management decisions, and its policy on the overall level of
fees for audit and non-audit services. In the end, the board or audit committee
has to make a subjective judgement.
In the US, the Sarbanes-Oxley legislation has specifically prohibited an
external auditor from undertaking certain work including: book-keeping
and related services, designing financial information systems, actuarial ser-
vices, internal audit outsourcing services, management functions or human
resources and expert services unrelated to the audit.2 Other countries are con-
sidering their own approaches and whether to impose similar restrictions or
requirements, including more active corporate governance and greater trans-
parency regarding non-audit engagements.3 Ultimately, though, the decision
on whether the auditor’s position has been compromised is for the board.
Complying with legislation is a minimum, not the standard.
The board should also be able to agree with the following statements:4
‘Management respects the auditors as providers of an objective and chal-
lenging process.’
You need an external auditor (and internal one for that matter) who is
prepared to go on asking unpleasant questions if necessary and for manage-
ment to accept and respect that.
‘The relationship with the audit firm is controlled by the audit com-
mittee (or the independent non-executive directors) and not by
management.’
External auditors must remain independent of management. The board needs
assurance that they do not come too close, especially to the CFO who is often
their prime point of contact in their day-to-day audit.
Finally, to enhance cooperation between the internal and external audit,
personnel should meet periodically to discuss common interests. They are
complementary parts of the audit process, the third line of defence, and sup-
port each other. Coordination of activities and mutual provision of reports and
working papers will reduce disruption to the firm and will lead to improved
efficiency and effectiveness in the overall audit process.
232
M12_BLUN7323_01_SE_C12.indd 232 29/06/2010 09:53

Internal audit and risk management oversight

In financial services the internal audit function is obligatory, whether in-house or
outsourced. Elsewhere, it is increasingly prevalent, but that is a relatively recent
phenomenon. The rise of internal audit in some ways mirrors the rise of the dis-
cipline of operational risk management and probably dates from the early 1990s
when internal audit began to come out of the shadow of external audit, did more
than provide process assurance and became involved in risk management.
It is interesting that even as recently as 2003, Sir Robert Smith, Chairman
of The Weir Group Plc, in his report on audit committees for the Financial
Reporting Council, recommended that firms should have an internal audit
function, but was keen to ‘work with the grain’ of the organisation and did not
believe that it should be mandatory.5
In a more recent interview, however, he has shifted his ground and now
believes that all FTSE 250 companies should have an internal audit function: ‘It’s
part of the evolution of the company and the culture within. You have to have
some form of internal review.’6 It’s not the name but the function which matters.
Internal audit provides assurance to the board on the first and second lines
of defence. Regarding the first line, it provides assurance that controls are
working effectively and are appropriate to the risks of the organisation. As
for the second line of defence, oversight functions such as risk management
ensure consistent application of the risk management framework and provide
challenge to business operations. Internal audit provides assurance that the
oversight functions are working effectively, picking up on adverse changes in
the risk profile and that these are being reported. As can be seen from Figure
12.1, oversight covers both financial and non-financial controls, including the
people risks overseen by HR (see Chapter 14, People risk) and regulatory and
statutory compliance.
It is, of course, important that the second and third lines of defence work
closely together, leveraging each other’s expertise and experience. Whilst their
activities are complementary, there needs to be clear demarcation so that their
respective roles are understood both by themselves and by others in the firm.
They also need to map sources of assurance over key risks and controls, so that
there are no underlaps or overlaps. Internal audit is part of the risk manage-
ment process but is not risk management. It should not set the risk appetite or
in any other way have accountability for risk management. Its role is to review
and give assurance on the process elements of the risk management framework.
Specifically, internal audit should not be responsible for operational risk
management. In the late 1990s, when few firms had a structure for operational
risk management, let alone designated operational risk managers, responsibil-
ity for operational risk often fell to internal audit on the basis that operational
risk was all about internal processes, and internal auditors were the only people
in the organisation who knew the processes and controls operating throughout
233
M12_BLUN7323_01_SE_C12.indd 233 29/06/2010 09:53

the firm. Times have moved on. Operational risk is recognised as going beyond
systems and process. Whilst auditors can and should provide guidance, respon-
sibility for risk rests with business line management.
As an independent assurer, internal audit is, in fact, especially valuable and
necessary in operational risk. Operational risk managers are usually intimately
involved in the development of the operational risk framework within a cen-
tral team, or work in business units where they can offer advice and guidance
and are responsible for providing data inputs and resulting reports. That effec-
tively places them in the first and second lines of defence, a confusing enough
position. There therefore needs to be an independent assurance process of the
information they are providing and the methodologies used.
Where there is no risk management function, the internal auditor may act
as a facilitator in establishing a risk management strategy and framework. But
it is important that they do not compromise their independence or confuse
their role by taking risk decisions or being executive risk managers, however
attractive that role may seem.
The role of internal audit
Policy
Internal audit should operate within a clear policy statement, approved by the
firm’s board and management, which outlines:
OO its objectives and the scope of the internal audit function
OO its status and position within the firm, including its relationship to the
business lines and oversight functions
OO its competences, tasks and responsibilities.
The scope of possible responsibilities is wide. According to the Institute of
Internal Auditors,
‘Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a system-
atic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.’7
In addition, whether it is the audit committee or the board to whom in-
ternal audit reports, that body is not only responsible for financial reporting
and the process relating to the company’s financial risks and internal control,
but their concerns will also include non-financial risks such as whistle-blow-
ing, remuneration policy (including the information on which remuneration
may be based) and exposure to fraud, almost all of which require some degree
of internal audit assurance.
234
M12_BLUN7323_01_SE_C12.indd 234 29/06/2010 09:53

To add to the mix, internal audit has an outward looking role. First, it
should protect and safeguard the reputation of a firm by ensuring that ethical
and other guidelines or codes are adhered to through assurance of the process.
Second, it should be able and encouraged to take a broader view of the firm
and its environment and not be bogged down in the detail of process, impor-
tant though that is. The board needs to be clear from all of this exactly what
it wants from internal audit, but also consider internal audit’s ability to meet
changing expectations.
Finally, it is important that the audit agenda is shaped by the needs of the
business and not by internal audit’s capabilities. If that is not the case, its
resources and personnel will need to be changed.�8
Planning and priorities

Having established its role, the head of internal audit can work with the board
to develop and deliver the audit plan. This should be risk-based, using a form
of the risk and control assessment process described in Chapter 4. To see what
we mean by risk-based in the case of internal audit, let’s look at the example
of a risk and control assessment shown in Figure 4.6, which is reproduced in
Figure 12.2.
The risk and control assessment should drive the audit cycle. That does not
mean that internal audit’s priority is to look at those risks which are seen as
‘net’ red or amber. Rather it should be to look at those risks which show a
‘gross’ red and a net ‘green’. Here management is saying that they have put
in place excellent controls to mitigate the risks of a ‘red’ event taking place. If
they fail or are inadequate, the firm will be faced with the possibility of a very
high risk materialising. That is where internal audit should concentrate its
attention. If a risk is ‘net’ red, then it is assumed – but internal audit should
obviously check – that management is taking appropriate action. Internal
audit can then provide assurance that the controls which management has put
in place are effective. Using the example given in Figure 12.2, internal audit’s
priorities will therefore be as shown in Table 12.1.
Of course, the audit cycle will also be influenced by such events as the
arrival of a new unit head or launch of a new business process or product. But
the fundamental approach should be to go back to the risk and control assess-
ment and identify those risks for which management considers controls to have
had the greatest effect. Since the risk and control assessment will also encom-
pass strategic risks, it should mean that internal audit’s plan will give equal
weight to both the board’s and management’s risk assessments. The priorities
of the board and internal audit should be aligned.
235
M12_BLUN7323_01_SE_C12.indd 235 29/06/2010 09:53

Figure 12.2 Generic risk and control assessment
Owner(s) of
the control
of the risk
Owner(s)

staff
release’ products
3 2 6
process TB
regulations
KYC ALL 4 3 12
lending activities
Policy CK 3 4 12
system
Appraisals TB 2 3 6
fraud
launched
236
M12_BLUN7323_01_SE_C12.indd 236 29/06/2010 09:53

Internal audit priorities drawn from Figure 12.2 Table 12.1

Risk Controls
Failure to attract, recruit and retain key staff Retention packages for key staff
Financial advisers misinterpret/fail to understand Staff training
the complexities of ‘equity release’ products
Learning gained from previous
deals
Procedure manuals for

processes
Failure to understand the law and/or regulations Internal training courses

Insufficient funds/deposits to cater for lending Liquidity risk policy
activity
Over-selling credit cards Credit scoring
Over-deployment of management resources on Corporate governance
regulatory issues
Status and resourcing

Audit, the third line of defence, is a critical part of a firm’s risk management
framework, which should be accepted and recognised as such by everybody in
the firm. That is achieved partly by the attitude of the board and partly by the
behaviour of the internal auditors (see Effective internal audit below).
Internal audit must be free to obtain all the information it needs, when it
needs it, and not find itself obstructed or ignored in any way. This will be less
likely if it reports unequivocally to the chair of the audit committee or the
senior non-executive director. If it does not, that may reflect its status within
the organisation. The board, or its audit committee, must also ensure that
audit has the right number and quality of staff, another issue which is dealt
with in the section on Effective internal audit below.
Finally, a word about remuneration. As with those in an oversight role,
remuneration should not present the possibility of a conflict. Those in the
second and third lines of defence (oversight and independent assurance) should
be remunerated on the basis of achieving their own objectives rather than have
their remuneration based on the firm’s financial performance.
Reporting to management and the board

Having established the plan and put it into action, it is internal audit’s job to
report its progress and significant issues to the board and to senior manage-
ment for action. Auditors must be ready to report issues beyond the standard
and agreed framework and, if they have something especially sensitive to
report, there must be a clear line of communication from them to whoever is
237
M12_BLUN7323_01_SE_C12.indd 237 29/06/2010 09:53

appropriate – the chairman, chair of the audit committee or senior indepen-

dent non-executive director.
To be an effective part of the risk management process, audit reports should
be prompt and concise, with issues prioritised according to their materiality and
significance. Reporting is not a comprehensive exercise in blame avoidance, but
a pointer for the board and management to take action. As with so much risk
management activity, there is little point in doing it unless it results in action.
Once internal audit’s recommendations are accepted as action points by
management, it is then the role of internal audit and the board to monitor
whether they are completed satisfactorily and to time. Speed and completeness
of clearing audit queries is a powerful key risk indicator for testing that the
risk of a poor risk culture is of minimal likelihood.
It is also a good plan for internal audit, apart from its regular reports to
audit committee, to report to the board at least annually, not just with an
overview of its activities and performance against objectives, but to provide a
‘state of the union’ message of its view of the state of the risk and control en-
vironment within the firm.
The internal auditor as consultant

The IIA definition quoted above states that internal audit, amongst other
things, is a ‘consulting activity designed to add value and improve an organ-
isation’s operations’. Risk management consulting is, of course, far sexier than
ticking back controls and procedures. That’s understandable, but not if it
means the fundamental job of checking processes is down-graded or, even more
seriously, if it provides potential for conflicts of interest.
Having said that, consulting can be a legitimate activity for internal audit
where there is no strong risk management function, but it requires careful con-
trol. Consulting can:
OO make available to management the tools and techniques used in internal
audit to analyse risks and controls
OO support risk management by leveraging internal audit’s expertise in risk
management and controls, and its overall knowledge of the organisation
(and indeed vice versa)
OO support risk management by providing advice and promoting the devel-
opment of a common language and understanding as part of embedding
risk in the firm
OO support managers as they work to identify the best way to mitigate their
risks.9
However, whenever internal audit acts to help management to set up or to
improve risk management processes, its plan of work should include a clear
238
M12_BLUN7323_01_SE_C12.indd 238 29/06/2010 09:53

strategy and timeline for migrating the responsibility for these services as
soon as possible to members of the management team. Advice and support is
one thing; taking risk management decisions itself quite another. Even being
involved in designing part of the process can lead to significant conflicts for
later audits.
Where internal audit does become responsible for some aspect of risk man-
agement, it cannot then provide independent assurance for that aspect. This
will have to be obtained from a suitably qualified independent third party.
If everybody is satisfied that internal audit’s independence will not be com-
promised and it is asked to undertake work beyond its standard and agreed
assurance activities, this should be recognised as a consulting engagement and
appropriate terms of engagement agreed.
Investigations
Events continually occur which require investigation and assurance. If the
request comes from the chairman of the audit committee or the non-executive
directors, there is no risk of internal audit being conflicted.
If, however, the request comes from management, they should seriously con-
sider using their own resources wherever possible, probably from those in an
oversight role (i.e. the second line of defence), leaving audit to fulfil its proper
role of independent reviewer and assurer.
Audit committees
The audit committee, comprising as it does independent non-executive direc-
tors, performs a key oversight role for the board and should be the critical
link between the board and both internal and external audit. In most finan-
cial sector firms, there will be a separate risk committee. That was also a key
recommendation by Sir David Walker in his report in 2009 on corporate
governance issues in UK banks, which was undertaken in response to the
financial crisis.10 However, in many firms, the audit committee fulfils both
functions. It therefore acts as a catalyst for improving both oversight and risk
management.
Audit committee and internal audit

As we said at the beginning of this chapter, the head of internal audit should
report to the chair of the audit committee from a functional point of view (or fail-
ing that the senior independent non-executive director) even if, administratively,
he or she reports to the CEO or CFO. Given the key role of the audit commit-
tee in the audit governance structure, its chairperson should be actively involved
239
M12_BLUN7323_01_SE_C12.indd 239 29/06/2010 09:53

in the appointment of a new head of internal audit. The committee should also
ensure that the review of the effectiveness of internal audit is truly independent.
It is for the audit committee to agree the internal audit plan and any changes
to it. The committee may also wish to consider the extent to which it is able
to call on internal audit to perform investigations on its behalf. In all of this,
though, it must make sure that the board is kept fully advised of its activities.
For its part, internal audit needs to have a clear understanding of the
responsibilities and operation of audit committee and the expectations of both
the committee and its chairperson. In summary, the board, audit committee
and internal audit need to have a shared vision for internal audit.
Audit committee and external audit

Here, the audit committee’s duties are clearer cut in that it is its job to appoint
the external auditors and agree their terms of engagement and fees. Whilst the
chairperson of the audit committee does not manage the relationship between
the firm and its external auditors, he or she should be fully aware of plans for
the audit, its progress and outcomes.
The external auditors’ principal point of contact will be the CFO and the
point has already been made that the audit committee should be satisfied that
there is an appropriate relationship between the auditors and the CFO. It has
a duty to ensure that management’s processes deliver adequate disclosure,
but it must also ensure that the finance function is adequately resourced to
fulfil its functions.
An audit committee health check

A last word on oversight. Audit committees are not just about finan-
cial reporting and assessing internal controls. Their brief as independent
assessors of the quality of risk management also takes them into non-financial
risk assessments.
Table 12.2 offers a useful checklist of risks which audit committees should
be continually considering in assessing the overall health and tone of the com-
pany they serve. Some are what might be termed ‘soft’ risks for which the
indicator is effectively a binary ‘yes’ or ‘no’. If there are more than a very few
‘yes’ answers, it is likely that the firm is dangerously exposed to risk. For some,
however, firmer indicators can be established.
240
M12_BLUN7323_01_SE_C12.indd 240 29/06/2010 09:53

Risks and risk indicators for audit committees Table 12.2

Soft risks
OO Inappropriate tone at the top
OO Autocratic management
OO Inexperienced management
OO Poor management oversight
OO Frequent senior management over-rides
OO Overly complex organisational structures or transactions
OO Lack of transparency in the business model and the purposes of transactions
OO (Late) surprises
OO Unrealistic earnings expectations
OO Exposure to rapid technological changes
Hard risks Risk indicators
OO Unusually rapid growth OO Percentage growth in sales
OO Frequent organisational changes OO Number
OO High turnover of senior management OO Key staff lost
OO Lack of succession plans OO Percentage of divisions/units
completed
OO Ongoing or prior investigations by OO Number
regulators or others
OO Untimely reporting and responses to OO Number of days
audit committee enquiries
OO Industry softness or downturns OO Industry growth/decline from
industry reports
Source: Derived from: KPMG Audit Committee Institute, Shaping the audit committee agenda, May 2004
Effective internal audit

Given its key role in relation to internal audit, what are the qualities an audit
committee chairperson might look for in a new head of internal audit?
In an article in Internal Auditing, its editor, Neil Baker, suggested that the
person specification would have at the top of the list:
OO integrity: the highest moral and ethical standards
OO challenge: at every level
OO tenacity: ‘stick to your guns’ and stay focused
OO pragmatism: an open mind and a corporate mind
OO independence: strength of character; resilience
OO good communicator and ambassador.11
241
M12_BLUN7323_01_SE_C12.indd 241 29/06/2010 09:53

Those qualities should, of course, apply equally to the members of the audit
team as well as its head, and are probably also valid when appointing a
new CRO.
There is an obvious need to be independent and to challenge and, if
necessary, keep on challenging. Inevitably, the job involves difficult and con-
tentious issues. Handling them with candour and frankness will generate
confidence in the function.
Communication is two-way. It is as important for internal audit to com-
municate its views effectively, as it is for the business to report to audit its
concerns and problems and not wait, in a destructive game, for audit to dis-
cover them.
Internal auditing is about continuous improvement, as is suggested in the
IIA definition, not merely checking that controls are working. To achieve
improvement you have to be a politician and understand both the culture of
the organisation and the art of the possible. You need to understand how to
gain acceptance for your recommendations – and not rely on some ill-defined
threat of whistle-blowing.
A key role of the head of internal audit is to build an effective audit team.
Ideally, it will come from a diverse talent pool of relatively senior and expe-
rienced people. Often, though, that is not possible. Where individuals lack
experience, they should be able to make up part of the deficiency through
common sense and pragmatism. One of the problems for any audit team is that
the people they rely on for information are also the people they are evaluating.
They need the skill to ask the right questions and to develop a ‘nose’ for assess-
ing the answers. Without those skills, the role becomes one of inquisitor rather
than constructive critic.
Long outstanding audit queries are a good indicator of the poor quality of
risk management in a firm and of its risk culture. They can also be an indicator
of the level of respect for the internal audit function, and even of the quality of
queries being raised. If it works well, internal audit will gain credibility and
respect from the business, who will therefore listen and seek advice from the
function, such as when a new project is being considered.
Much of the job is about building awareness of the value which internal
audit can bring. The obvious way is in providing the board and management
with objective assurance that the risk governance and risk management pro-
cesses are being operated appropriately and that the internal control framework
is operating effectively.
But internal audit can demonstrate its value in an active as well as a pas-
sive way. We have referred to internal audit as being a catalyst for continuous
improvement within the firm. In addition, people need to be made aware of
what it does and how it can help, perhaps through leaflets or the intranet, or
simply by networking.
242
M12_BLUN7323_01_SE_C12.indd 242 29/06/2010 09:53

Two of the best ways for people to see the benefits of the function are:
OO to second staff to it, and
OO to make sure that a term in internal audit is seen as a value-adding career
move which is remunerated appropriately.
Secondments are particularly useful because, when they end, the secondee will
go back into the main-stream operations. That way, audit’s knowledge of the
organisation is constantly refreshed and the quality of risk management and
internal controls will be continuously improved.
That is an excellent way for a good internal audit function to add real value.
Notes
1 See Michael Power, Organized Uncertainty (Oxford: OUP), 2009, for further discussion
on this point.
2 Sarbanes-Oxley Act 2002, s 201.
3 See www.frc.org.uk/apb for details of the Auditing Practices Board consultation in the
UK, October 2009.
4 Derived from Checklist – Evaluating the external auditor, KPMG Audit Committee
Institute, 2008, www.kpmg.co.uk/aci.
5 Sir Robert (now Lord) Smith, Audit committees – Combined Code Guidance, Financial
Reporting Council, January 2003.
6 Internal Auditing, November 2008, p. 26.
7 See www.iia.org.uk.
8 For further commentary, see In control: Views of Audit committee Chairmen on the effectiveness
of internal audit, PricewaterhouseCoopers; www.pwc.co.uk.
9 For further discussion, see IIA position paper on internal audit and ERM, January 2009,
at www.iia.org.
10 Sir David Walker, A review of corporate governance in UK banks and other financial industry
entities, November 2009; www.hm-treasury.gov.uk.
11 Neil Baker, ‘Internal auditing and business risk’, Internal Auditing, January 2006
243
M12_BLUN7323_01_SE_C12.indd 243 29/06/2010 09:53

M12_BLUN7323_01_SE_C12.indd 244 29/06/2010 09:53
Part
Practical
5
operational risk
management
13. Outsourcing
14. People risk
15. Reputation risk
M13_BLUN7323_01_SE_C13.indd 245 29/06/2010 09:53

M13_BLUN7323_01_SE_C13.indd 246 29/06/2010 09:53
13
Outsourcing
What is outsourcing?
Outsourcing – transforming operational risk
Deciding to outsource
The outsourcing project – getting it right at the start
Risk assessment
Some tips on the request for proposal
Selecting the provider
Some tips on service level agreements
Managing the project
Exit strategy
247
M13_BLUN7323_01_SE_C13.indd 247 29/06/2010 09:53

Part 5 · Practical operational risk management
What is outsourcing?
Outsourcing is the transfer of selected projects, functions or services and the
delegation of day-to-day management responsibility to third party suppliers.
It is not confined to IT, nor even human resource functions, nor to offshore
outsourcing. It could involve the transparent transfer of part of the business to
a third party, or the transfer of a service, by white-labelling, to a third party,
including another member of the same group. It involves all agency arrange-
ments and could be by way of a joint venture.
In all cases, if it is to work effectively, both parties will work as partners.
Nearly all aspects of outsourcing risk management, as we shall see, revolve
around the need to establish a balanced and fair partnership between the out-
sourcing client (or buyer) and the service provider.
Although this chapter deals specifically with outsourcing, the principles and
management processes apply just as well to any major procurement or third
party dependency, such as the supply chain. Third party dependency is, in
fact, a useful generic term to describe the risk which we accept in any buyer–
supplier relationship, of which outsourcing is but one.
Outsourcing – transforming operational risk

From the buyer’s point of view, outsourcing transforms the risks of managing
an activity into one of managing and relying on a third-party provider whose
day-to-day actions are outside its direct control. It does not eliminate risk,
but it should reduce the original risk by placing its management in the hands
of somebody who can manage it better, somebody who can provide access to
experienced skills at a reasonable cost.
Many firms are reluctant to relinquish control to a third party. They see
that as an unacceptable risk. In part, they probably overestimate the extent to
which they are in control of such elements as data security, or have quality IT
skills to achieve high performance or to embrace new technology opportun-
ities. However, to reduce risks arising from lack of direct control to acceptable
levels, the buyer needs to understand fully the operational risks of the service
provider and the effectiveness of their controls because, if things go wrong, the
impact will be felt by the buyer and its customers. Whilst day-to-day manage-
ment responsibility may be delegated to the provider, responsibility for quality
and reputation remains firmly with the buyer. In the end, the buck stops there.
In August 2008, Barclays-owned credit card company Goldfish sent out the
correct front sheets of monthly statements to its account holders, but enclosed
back-up sheets relating to other customers. In the same month RBS and
NatWest customer data was found being sold on e-Bay. Everybody has heard
of the problems at Goldfish and RBS. Few, if any, know the names of the firm
248
M13_BLUN7323_01_SE_C13.indd 248 29/06/2010 09:53

13 · Outsourcing
which printed the Goldfish statements, or the company which operated RBS’s
archive centre.1
So you cannot outsource responsibility, nor can you outsource reputation risk.
If the change you are making through outsourcing is likely to have an effect
on your customers, especially during the transition period, you need to have an
effective media and employee communications strategy in place, from the time
when the decision to outsource is made to when it has been successfully imple-
mented. Effective communication is the best mitigant to reputation risk and
also, as we shall see, to ensuring a successfully managed outsourcing project.
In this chapter we shall go through the outsourcing process, identify the key
risks at each stage and discuss the actions or controls which need to be in place
to reduce them.
Deciding to outsource
Benefits of outsourcing
When people are asked in surveys what makes a successful outsourcing deal, it
is noticeable that cost savings come a long way behind features such as:
OO concentrating management on core activities
OO achieving higher activity levels
OO improving customer service(s), and
OO improving financial control.
All of these help to improve the buyer’s competitive advantage, something
which should be a fundamental test of whether to outsource or not.
Outsourcing makes business sense by improving both the speed and quality
of customer service. A service provider may, for instance, be able to handle a
variety of resource-consuming compliance tasks more cost-effectively, and free
the buyer’s staff to concentrate on a major systems project.
In the best deals, where there is a true partnership, the buyer passes on exper-
tise derived from its strengths and the supplier is proactive in coming to the
buyer with innovative ideas. New products can come to market more quickly.
At a higher level, outsourcing can be a force for cultural change if it is part
of the transformation to a differently shaped and focused organisation. It can
also help in a merger, when it is often difficult to combine two infrastructure
cultures. Basing the future infrastructure on a third-party provider can remove
the problem and take it outside the politics. Outsourcing can thus be a major
force for changing and transforming the operational risk environment.
249
M13_BLUN7323_01_SE_C13.indd 249 29/06/2010 09:53

It’s not about cutting costs

So the decision to outsource should be made on good business grounds,
looking at the overall value outsourcing can bring, and not solely, or even
primarily, on grounds of saving costs or improving return on investment. In
2007, Compass published a survey of 240 large IT outsourcing deals which
showed that 65% unravelled before their term because they did not deliver
anticipated cost savings.2 That was often because of the unrealistic pressure by
clients on providers to deliver a service at prices which were unsustainable in
the long-term.3
There should, of course, be appreciable cashflow benefits in outsourcing, but
if cost-cutting is the primary driver for deciding to outsource, the chances are
that the outsourcing project will be a failure. Cost reduction on its own brings
little sustainable business advantage. In any case, the cost savings can often
be seductively more apparent than real. The Compass survey also showed that
whilst outsourcing providers were pricing contracts at a level which showed
immediate cost savings of up to 18% on the in-house operation being replaced,
costs then increased to an average of 30% above the original in-house cost by
year three of the contract. What is cheap is usually dear.
One of the biggest risks in deciding whether to outsource or not is to fail
to assess the true costs of the activity as it is currently run, and the costs, both
financial and non-financial, when it is outsourced. Without proper information
on costs, you run the serious risk of making the wrong decision in principle
and of not assessing potential service providers against a robust benchmark.
When considering outsourcing, ask yourself whether you have allowed fully
at the outset for the costs of:
OO the activity in-house, including premises and supporting infrastructure
OO start-up and the transition to the service provider
OO ongoing management and monitoring of the contract, especially if the
outsource provider is offshore
OO contingency plans if something should go wrong
OO maintaining sufficient resource in staff and infrastructure to enable you
to take the activity back in-house should the contract be terminated.
If cost reduction is the priority, it tends to build short-term relationships that
cannot stand the test of time. You may have got a good deal at the outset, but
that could be because you squeezed your provider unduly, and you will suffer
when things go wrong at their end. They will feel little commitment to help-
ing you with what is your problem as much as theirs.
But there are positive aspects to outsourcing and cashflow. For instance, out-
sourcing should mean that future costs are more certain, which will help with
planning and pricing. Outsourcing can also bring flexibility, by turning fixed
250
M13_BLUN7323_01_SE_C13.indd 250 29/06/2010 09:53

13 · Outsourcing
costs into variable costs and freeing up capital which would otherwise have to
be invested in non-core activities or large investment projects. The service pro-
vider has already invested in the necessary process and can provide the benefits
of infrastructure and economies of scale. Even more positively, on the question of
cash, outsourcing may bring a cash infusion, if the provider buys assets such as
hardware or software, or increased opportunities for revenue generation.
Cash benefits such as these are positive reasons to outsource. Cash benefits
based on cost-cutting are not.
High-level principles and policy for outsourcing

A fundamental part of outsourcing risk governance is for the board, as with
any other major risk or control issue, to agree the principles and policy which
will govern outsourcing within the firm. The board, after all, retains respon-
sibility for the policy, and ultimate responsibility for activities undertaken
under that policy. It should guide the assessment of whether and how activities
should be outsourced. It should also outline how outsourcing projects are to be
managed and the governance arrangements which should apply.
Deciding what to outsource

Once the policy and process is established, you can consider possible functions
or activities as candidates for outsourcing. The best approach is to work on the
basis that the company you outsource to will do it better than you can or that
they can do something which you cannot do.
At the level of a small firm, that may, for instance, mean outsourcing areas
which are subject to changing legislation, such as tax or accounting, because
that is what the outsourcing firm is expert at. In this way the firm can reduce
its risks and save the costs of somebody internally who is probably not able to
keep as up to date as a professional firm whose reputation depends on having
that knowledge. Another example for a small firm is where it is able to share
state of the art technology which it could not otherwise afford, so that out-
sourcing brings competitive advantage as well as a saving in costs.
Whatever activity is outsourced, there are three golden rules:
OO Don’t try to outsource a problem. The outsourcer can’t sort out your mess.
Only you can do that.
OO Talk to the business. It’s the business’s needs which are paramount, not
those of procurement.
OO Never outsource whatever gives you competitive advantage, i.e. the function
which is so core to your business that you need to control it directly to
ensure your continuing competitiveness.
251
M13_BLUN7323_01_SE_C13.indd 251 29/06/2010 09:53

Leaving aside the cynics who say that ‘core’ is the part of the business you can’t
sell, what is ‘core’ will vary from firm to firm. Does ‘core’ mean ‘strategic’? If
so, what is truly ‘strategic’?
In 1996, British Airways, which has always been an aggressive outsourcer,
was highly successful in outsourcing its customer correspondence function
from the UK to India. Some 2000 jobs were outsourced but only two redun-
dancies resulted in the UK as staff were redeployed to higher value, less
mundane, jobs. What is more, the function was more efficiently handled in
India and customer satisfaction rose.4 Following this, in 2001, the company
declared its intention to be a ‘virtual’ company, with its aircraft leasing, main-
tenance, ground handling, ticketing, IT, website, in-flight staff and even its
pilot staffing being outsourced. That just about left only the brand.
Similarly, Coca-Cola does not make Coke. It markets it and looks after
advertising and strategy, but most of the product is produced under licence by
bottling companies around the world. And Virgin merely badges the financial
services and mobile phone activities which bear its name. Perhaps managing
the brand and reputation is the real core activity, along with managing the
outsourcing contracts, which replace the previous core activity for these firms
of managing a large number of people.
But it is not just activities which are core. Some risks are so ‘core’ that they
also should not be outsourced. The Potters Bar rail crash, just north of London,
was a salutary lesson.
Case study Railtrack – the Potters Bar train crash (2002)

Railtrack was privatised in 1996. After two serious crashes in 1999 and
2000 it failed to raise necessary funding of £700m and was placed into
administration in October 2001 and turned into a not-for-profit company.
In May 2002, seven people were killed and 70 injured when a faulty
track caused a passenger train to be de-railed. Railtrack, which was respon-
sible for the line, had outsourced its maintenance to Jarvis. Shortly before
the crash, Jarvis employees had passed the track as meeting relevant safety
standards. Railtrack had therefore outsourced safety which, given its his-
tory, might have been assumed to be one of its key risks and core activities.
The outsourcing project – getting it right at the start

Two of the biggest risks in outsourcing projects are:
OO not having clearly defined goals and objectives, and
OO not planning properly.
252
M13_BLUN7323_01_SE_C13.indd 252 29/06/2010 09:53

13 · Outsourcing
Since risks are threats to objectives, it is difficult to identify risks to the project
if clear objectives have not been set. Failing to set clear goals and objectives is
therefore a major risk in itself.
Too often projects go wrong because unrealistic timelines have been set at
each stage of the project. Or there is poor planning on the timing of the tran-
sition to the service provider and, importantly, on the effect the outsourcing
arrangement will have on employees and processes in other parts of the organ-
isation, and on areas of risk, including environmental and regulatory factors.
Once the decision has been made to outsource, the key to minimising failure
is preparation:
OO set objectives for the project
OO understand the scope of what is to be outsourced
OO be clear about the benefits you are trying to obtain
OO appoint a project team who will have day-to-day responsibility to run
the process and deliver a workable outsourcing solution
OO use your risk management system to manage the process and re-assess
the risks at every stage.
If you have agreed principles on how to manage the outsourcing process, you
will manage the outsourcing risks effectively.
Risk assessment
Once you have decided to outsource and have established a project team, the
next stage is to undertake a full risk assessment and identify the threats to suc-
cessful implementation. Initially, you need to undertake three risk assessments:
1. as you are today
2. the project itself
3. where you want to be.
Risk assessments 2 and 3 will help to frame the request for proposal (RFP),
the criteria for selecting the provider and, most importantly, the service level
agreement (SLA).
Risk assessments 2 and 3 will then be reviewed at each critical stage of the
project. When the SLA is signed, the provider should provide its own risk
assessment (4) and agree indicators by which risks are to be monitored. During
the transition period, a further assessment should be undertaken (5), but this
time jointly with the provider. It is at this point that real knowledge transfer
can take place in both directions.
253
M13_BLUN7323_01_SE_C13.indd 253 29/06/2010 09:53

To put it diagrammatically:
Goals RFI RFP Shortlist Site visits Selection SLA signing Transition
1
2
3
4
5
To make sure the risk assessment process for the project (2 and 3) is as compre-
hensive as possible, involve everybody who may be affected. That will include
HR, legal, PR, finance, procurement, those whose functions are being con-
sidered for outsourcing, and those who will interact with the function once it
is outsourced – and of course, risk management. If you have previous experi-
ence of outsourcing, draw on it. If this is the first time, remember that fact
when you consider the risks you will face.
Outsourcing will produce new risks at each stage of the project, especially
when the project has gone live and you have little day-to-day control. Here are
a few:
OO service delivery falls below expectation
OO confidentiality and security is not respected
OO contract is too rigid to accommodate change
OO failure to devote enough time and energy to managing the relationship
OO failure to provide sufficient resources in-house to safeguard the out-
sourced business processes
OO inadequate contingency planning by the provider
OO management changes at the outsourcing company – a frequent problem
which affects both performance and communication
OO the outsourcing company goes out of business.
As you consider these new risks, remember that a key mitigant is com-
munication, both with the service provider and especially with your employ-
ees. Communicate openly with them at every stage. Not only will this mean
that you get the best out of the outsourcing project, but you will understand
and be able to document the consequences for those who will be affected – a
fundamental part of the decision to outsource.
254
M13_BLUN7323_01_SE_C13.indd 254 29/06/2010 09:53

13 · Outsourcing
Some tips on the Request for Proposal

The first step towards the request for proposal (RFP) is the request for infor-
mation. This should go out to as wide a field as possible, not just to the usual
suspects and one or two others whom you have picked up through anecdote or
hearsay. You are trying to narrow the field from as many of the available candi-
dates as possible.
The goals and objectives which led you to outsource will point to your out-
sourcing needs and form the basis of your selection criteria. Those objectives
and needs should have been agreed with the business rather than procurement.
It is the need, not the document, which matters. Remember golden rule 2
– talk to the business. That also means that you should be careful not to pre-
scribe the solution and make the RFP too tight. If a benefit of outsourcing is
to bring in expertise which you lack, get the most out of the relationship and
be open-minded about how your needs can best be met.
The risk assessment of the activity to be outsourced will guide you to what
is required in the RFP. The RFP will deal with the specifics which go into the
service level agreement (see Some tips on SLAs below), but it will also provide
the information with which to identify:
OO the management capability and resources of the provider
OO how the provider handles relationship management
OO processes for reporting and quality monitoring
OO training requirements – on both sides
OO technology requirements – and future scalability
OO the transition timetable and resources needed during this period
OO governance issues, to establish that the service provider shares your values.
The RFP establishes expectations and further qualifies providers on the short-
list. Because clarity is essential, use quantitative rather than qualitative criteria
wherever possible. And don’t underestimate the work which will still be
undertaken in your firm. The RFP should lead to a clear matrix of risk and
other responsibilities as between you and the provider.
If the RFP has been framed well, it should ensure that you are able to narrow
the selection down to just two or three genuine and acceptable candidates.
Selecting the provider

The worst risk of all in outsourcing is to choose the wrong partner. The approach
must be commercial rather than personal. The risks of poor selection will be
enhanced if you do not put enough resource into it, including having a variety of
perspectives and the appropriate skills to manage the process effectively.
255
M13_BLUN7323_01_SE_C13.indd 255 29/06/2010 09:53

Assessment and evaluation

Just as the decision to outsource should not be based on cost saving, so the selec-
tion of a provider should not be based on whoever provides the cheapest deal. To
ensure that the process is objective and properly competitive, you need to put
together an evaluation scorecard based on your goals and objectives in choosing
to outsource. The scoring need not be hugely sophisticated. It could be as simple
as first looking at your requirements and assessing them as being:
1. Vital
2. Necessary
3. Nice to have.
And then scoring the providers on the basis of:
1. Does not meet requirements
2. Meets requirements
3. Exceeds requirements.
In many ways, it is relatively easy to assess the ‘hard’ criteria, such as the finan-
cial, legal, contractual, performance, and even regulatory risks. What is more
difficult is assessing the ‘soft’ criteria, the ones which are fundamental to success-
ful outsourcing – cultural fit, leadership, people, communication and innovation.
The RFP should have provided much of the information. But it needs to
be tested by using channels such as the Web, trade press and expert advice, as
well as the customer references which will have been provided. How well is the
provider recognised within its industry? What are its strengths? How good is
it at dealing with problems? What is its track record of service commitment?
Above all, visit each potential provider on the shortlist. You are in it for the
long term, so don’t skimp on your due diligence. Person to person is the only
sensible way of assessing the critical ‘soft’ criteria. At a practical level, use your
subject experts, not your sourcing or procurement executives, to check IT sys-
tems and equipment, management processes or quality assurance procedures. If
the provider is overseas and it is difficult to visit them at this stage, meet and
take references from existing users in your own country. But that should be a
last resort.
Statements made by the provider have got to be tested and verified.
What is the detailed breakdown of staff retention and turnover? Precisely how
do they track customer satisfaction? How will they make sure you have the
right resource when you want it? How do their sales people talk to their deliv-
ery people?
Providers often quote data such as revenue earned from top clients or utilis-
ation rates (staff efficiency). But these are almost impossible to verify, without
perhaps hiring an independent investigator, something which the Satyam case
brought home in January 2009.
256
M13_BLUN7323_01_SE_C13.indd 256 29/06/2010 09:53

13 · Outsourcing
Satyam Computer Services (2009) Case study

Satyam was India’s fourth largest software group and one of the biggest
outsourcing companies in the country, counting Nestlé and Cisco among
its clients. In January 2009, following disclosures in a public letter from
the chairman, B Ramalinga Raju, it emerged that it had been falsifying
its accounts for several years. He had inflated the number of employees by
more than 25% (from 40,000 to 53,000) and siphoned off their salaries
to companies over which he had control. Together with other fraudulent
activities which had allegedly benefited the chairman and others, the
Indian Central Bureau of Investigation estimated in November 2009 that
the fraud amounted to more than US$2.6 bn.
Source: Based on ‘Scale of Satyam fraud escalates ahead of trial’ by Rhys Blakely, The Times,
27 November 2009, p. 77
Commenting in the Financial Times on the Satyam case, Ashutosh Gulta, a

Vice President of research firm Evalueserve, said: ‘Smart companies are already
hiring investigative companies to poke around and ask difficult questions and
we’ll see more doing so.’5
Capability and competence

It is assumed that the provider can deliver functionality, otherwise how did
they get on the shortlist? The important thing is the quality of service pro-
vided – how they will do the job, not whether they can handle a specified
number of transactions in a particular time-frame.
In most outsourcing contracts, quality – and therefore risk – depends not
on systems capability but on the people who are managing the process and the
people who interface with your customers. Management changes at the out-
sourcing company are a frequent problem which affect both performance and
communication. It may be that certain individuals are critical to the process or
interface. If so, one control can be to insist that they are retained in their role
and that you, as client, have the right to approve substitutes if they have to be
moved or are absent. Consistency of the quality of service delivery is critical to
your reputation.
Pricing
Pricing is another key risk. Is there sufficient transparency in the supplier’s
pricing structure to ensure that you obtain the best value for money? Is there
absolute clarity about fixed, upgrade and on-going costs and their basis? Have
price escalators or volume-related costs been fully factored in? They may be
differently priced from the base standard. What about training costs and
257
M13_BLUN7323_01_SE_C13.indd 257 29/06/2010 09:53

pass-through items? We noted earlier (see It’s not about cutting costs) how final
costs can far outstrip those imagined when the contract is awarded.
If an outsourcing arrangement is not set up well and managed carefully, it is
not uncommon to find that incremental add-ons can increase the original costs
by as much as 50%. So do the analysis thoroughly and then stretch the results
through various activity scenarios. That should point you to the true costs –
and the true cost savings.
Data security
One risk which looms large in financial services, but also in other sectors such
as healthcare, is that confidentiality and security is not respected. What guar-
antees can the provider give about data security and information relating to
your customers? What security measures do they have? Do they subscribe to
and are audited against industry and, if appropriate, international standards?
Consider whether you need to run checks on their staff. That may be where
independent investigators reappear.
The chain of dependency

And just as they are going to be a third party dependency risk for you, on
whom do they depend? Will they be doing everything themselves, be in a
partnership or rely on other suppliers?
The Gate Gourmet case at Heathrow in August 2005 provided a further
slant on the question of dependency.
Case study British Airways and Gate Gourmet (2005)

In August 2005, Gate Gourmet, to whom British Airways had out-
sourced its in-flight catering in 1997, sacked 650 staff who had stopped
work to hold a canteen meeting in protest at a restructuring. With that,
1000 British Airways staff at Heathrow, including baggage handlers and
other ground staff, came out on strike in sympathy. It then transpired
that many of them, as well as being in the same trade union, were related
to the Gate Gourmet workers. The strike forced BA to ground all its air-
craft at Heathrow for over 24 hours. As a result it lost 700 flights and
over £30m.
BA had failed to understand and make allowance for the links between Gate
Gourmet staff and their baggage handlers.6
If there is going to be any sub-contracting, the same checks and requirements
apply as were applied to the primary provider. Any significant or material sub-
contractor should be subject to approval by the buyer – on the assumption that
the definitions of ‘significant’ or ‘material’ have been clearly documented.
258
M13_BLUN7323_01_SE_C13.indd 258 29/06/2010 09:53

13 · Outsourcing
Compatibility and culture

Above all, you need to establish that your chosen provider shares your values
and buys in to your vision and beliefs. They are partners, as much as they are
providers, and only common values can build a sustainable relationship.
That is one of the reasons why site visits, involving your experts, are so
important. Apart from anything else, if you don’t make a site visit – or several
– you won’t meet the people with whom you are going to be dealing, only the
people negotiating the contract.
You need to know that you can work together as a team; that your people,
at each level, will get on with theirs. Are they open, sincere and positive? Do
they fully understand your needs? Are they focused on continuous improve-
ment and willing to share with you the outcome of their efforts? Since one of
your risks is probably the danger of falling behind the curve of industry inno-
vation, it may be worth negotiating incentives for the provider to allow you to
access improvements in service delivery.
The process also has to fit. That applies as much to decision processes and
management structures as to the points of interaction between the two firms;
the frequency of formal interactions; the process for escalating performance
or problem issues. One of the lessons of the Gate Gourmet case was that the
unofficial employee power structures rendered Gate Gourmet’s management
powerless and impotent.
Overall, assessing compatibility is an intuitive, rather than an analytical
process, but a scorecard approach, based on your strategic and risk assessments,
will be a great help. The risk is that judgements, which are inevitably subjec-
tive, become clouded by personal feelings. As a result, whilst compatibility is
fundamental to selection, you may be wary of assigning it too high a percent-
age of the overall score, probably no more than 30%.
To reduce the risk that emotion and dominant personalities have too great
a bearing on the final choice, it is best if each member of the assessment team
makes their assessment independently. Then the various scores are added
together, rather than allowing one dominant member to exert undue influence.
One final risk consideration – size matters. How important are you to them?
Unless you are a big player, the 80/20 rule will apply and it is likely that you
represent only a relatively small fraction of the provider’s income and therefore
attention. If you are the smaller party you must be prepared to be aggressive
in getting top-table attention to make sure your needs are not relegated in the
priority stakes. On the other hand, you do not want to be in a position where
they depend on you. If you are, you run the risk of relying on a provider which
has an inherently unstable business model. The trick is to be big enough in the
provider’s eyes, but not too big. All of this needs to be explored during your
due diligence. And of course, the situation is dynamic. You need to monitor
their take-up of new clients and regularly re-assess your relative position with
the provider during the term of the contract.
259
M13_BLUN7323_01_SE_C13.indd 259 29/06/2010 09:53

Commercial soundness and sustainability

This is a long-term relationship which is going to have a major impact on your
reputation. We have already mentioned the provider’s functional capability to
provide a service over time, especially if your requirements grow. Considering
whether the provider will be there in the long-term is an important part of the
overall assessment.
One element of that is, of course, the financial due diligence you will have
undertaken on the providers you are considering. Since outsourcing is very
often driven initially by an investment funding or cost need, the provider must
have the strength of a sustainable cash flow to offer the required performance
over time and the ability to provide the investment required to meet present
and future needs. It is therefore important to ask about competing resource
needs and how the provider might handle future needs, if they are successful.
This can be part of a strategic visioning session with prospective service pro-
viders looking at where you each expect to be in three or five years’ time. It also
provides an opportunity to consider whether their processes are scalable to the
level you have in mind – and beyond. Sustainability is not just about cash but
about intangibles, such as position in the market and the ability of the provider
to change with changing market requirements. The visioning sessions will help
you to understand better the provider’s ability to change with the market.
A final pointer to sustainability is the provider’s governance structure.
What are their internal management practices? What is the quality and
importance (to them) of their risk management? What is the structure of their
board and audit committee and other functions? Is there a strong institutional
investor, which may bring a degree of capital support as well as expertise to
their board? The key to a sustainable business is sound risk governance.
Some tips on service level agreements

Having made your selection, it is now time to turn to the contract which will
govern your future relationship, the service level agreement (SLA). It is your
fundamental risk control. It will specify the regular reporting you require of
risk and control assessments, relevant key risk indicators and key control indi-
cators. It will also detail the reports you require of incidents and losses, not
just those which are for your account, but also those for which the provider is
responsible and has suffered the cost.
When you are negotiating the SLA, take a risk-based view of contract devel-
opment. You will have undertaken a risk assessment, which will have included
assumptions about who owns which risks. It is now time to be upfront about
the risks you are trying to mitigate and agree a risk ownership matrix. As we
have said so often, clarity of roles and responsibilities is a critical element of
good operational risk management.
260
M13_BLUN7323_01_SE_C13.indd 260 29/06/2010 09:53

13 · Outsourcing
Another tip is to agree the operational details before you get to the legal
ones. This is a partnership after all. If you can agree operational and risk issues
before you draw up the legal document, you will avoid the risk of undue
entanglement with lawyers and legal jargon, and achieve a mutually beneficial
deal in a shorter timeframe which you can both sign up to.
And be strong. You have been through all the analysis and assessment. You
know what you want and why, so don’t allow a provider to dictate what you will
receive. Get what you want, which is, after all, what you need. Above all, do not
agree to finalise the scope, price or service levels after contract signature, or enter
into an agreement which relies on benchmarking to keep the supplier ‘honest’.
The contract is the deal. What is written down and signed is the service you
will receive for the next three to five years, so make sure it is what you want
and that as far as possible it is absolutely clear.
When you look at what an SLA typically contains, you will see that practically
every clause represents some form of risk control covering the elements of risk
management we discuss in this chapter. Table 13.1 shows some typical headlines.
Contents of a typical service level agreement Table 13.1

1. Scope Including all pertinent parameters of
agreement such as parties involved,
duration, etc.
2. D
ivision of responsibilities over all
aspects
3. Service continuity expectations Including service availability through
business continuity incidents
4. Commercial/financial terms Including freedom of provider to raise
fees and penalties for poor performance
5. M
etrics on expected level of
performance, appropriate to activity
6. Performance review process
7. Reporting of performance Including risk and control assessments,
key indicators, incidents and issues
8. Issue escalation process Including dispute resolution procedures;
contingency plans for performance
failures
9. G
uidelines on accessibility of
information for auditing purposes
10. C
onfidentiality/non-disclosure/ Including data protection and systems
security expectations security
11. Exit strategy Including transition to another managed
service
12. Change control protocols
261
M13_BLUN7323_01_SE_C13.indd 261 29/06/2010 09:53

Finally, having done your best to achieve an SLA which covers all your needs,
avoid over-reliance on it. It is just possible that the provider may be meet-
ing agreed service levels, but the contract is not successful because the wrong
things are being measured. Be prepared to go back to the table. To help that
happen, you need to make sure that the agreement allows for flexibility and
is not so rigid that it precludes change. If you are working with a real partner
that will not be difficult. After all, both sides want this to work long term.
Managing the project

Governance
Governance provides the set of guidelines for the relationship and a forum for
dealing with legal and service issues. Effective governance will help to ensure
that the provider delivers on what they have promised over the lifetime of the
agreement. Absence of strong governance results in a lack of clarity about the
goals and results of the outsourcing.
As governance typically costs between 3% and 6% of contract value, at the
higher end at start-up and lower over time, make sure it is included in the
original costings.7 It is not a peripheral activity.
The governance team

A frequent source of outsourcing failure is that not enough time and energy
is given to managing the relationship. Governance of outsourcing operates
at many levels – at executive or board level; at project governance level; and
within the in-house and provider’s own business process teams.
The key to good governance is a good governance team of high-level
executives from both organisations who communicate regularly about what
is working and what is not. Ideally, outsourcing governance teams should
include people with hands-on experience of managing a service provider rela-
tionship, and people who understand the needs of the buyer organisation
within the context of outsourcing. There must also be somebody expert in the
area being outsourced, and representatives from areas such as finance, legal
and, if you have them, procurement or (out)sourcing. And especially somebody
from operational risk management.
If you have a sourcing or similar department managing all outsourced activ-
ities as a portfolio, you will have effectively created an outsourcing centre of
excellence which can be used to leverage best practices. Outsourcing requires
different types of expertise in its management, so use all the information that
is available.
The important thing, though, both within the project and within the firms
concerned, is communication and putting in place a full communication plan.
262
M13_BLUN7323_01_SE_C13.indd 262 29/06/2010 09:53

13 · Outsourcing
Within the project team this will ensure that issues are escalated as appropri-
ate. It will also mean that lessons learnt from monitoring and reporting are fed
into the change management process and acted upon.
Within the buyer’s firm, good communication should ensure that staff,
especially those directly affected, are aware of the reasons why a particular
process is being outsourced and the benefits to be gained. As we point out in
Chapter 14, People risk, failure to communicate with staff effectively leads to
damaging gossip, rumour and loss of morale. Make sure staff who are being
retained know that as soon as possible. As we also point out in that chapter and
elsewhere, the key to good management, whether operational risk management
or otherwise, is trust.
If the people who are going to be directly affected are brought into the pro-
cess they can act as a risk mitigant in that their feedback may point to costs
or processes which have been overlooked in the financial and risk assessments.
And, on the basis that the outsourcing will only be successful if in-house staff
are working efficiently, it should reduce middle-management resistance which
can drain the project of many of its intended benefits.
Finally, on a staffing point, try to keep people around who were involved
in the negotiations. However clear you believe the SLA is, people and circum-
stances change. It is always helpful to have people available who knew the
intent and thinking behind the transaction.
The transition process

The actual transition to the provider is, of course, a high risk point in the
whole project. That risk will be dramatically reduced if the transition works
smoothly, which it will if it is well-planned and rehearsed. Another problem at
transition is that too often unrealistic expectations are placed on the provider,
both on the ‘go-live’ date and in the months immediately following, and are
reflected in the expectations of the client’s executive management. Be reason-
able and realistic and try to ensure there are no surprises. Good communication
should help to manage those expectations and act as a risk control mechanism.
The transition is one of the elements which should be explicit in the selection
process. Does the partner use a similar project methodology? A smooth tran-
sition is what you are aiming for; a troubled transition will cause immediate
pain and cost. To smooth the process and reduce the risk both at transition and
in the future, it may be a good idea for some of your staff to work in the pro-
vider’s workplace and to second your staff to the provider as the contract con-
tinues. This will ensure that one of your vital controls – the ability to bring the
process back in-house if necessary – will have a greater chance of success. That
kind of partnership will also make it less likely that you will have to.
263
M13_BLUN7323_01_SE_C13.indd 263 29/06/2010 09:53

Monitoring and reporting

The first thing to bear in mind when considering performance assessment is
that you must retain staff with the necessary expertise to supervise and moni-
tor the outsourced activity and provider. The gain of enhanced performance
through outsourcing will often lead to the loss of in-house expertise. You
cannot allow it also to lead to the loss of your ability to assess performance.
As well as the regular performance reviews – which may be on a daily basis
at first and probably weekly or monthly thereafter – allowance has to be made
for external and internal auditors to perform their own assessments. But what-
ever the source, whether it’s a performance or audit assessment, document and
agree the results promptly and regularly within the governance team. That
is your control mechanism for making sure that necessary improvements are
made. It is also the process which leads to amendments to the contract, per-
haps every quarter, to reflect accumulated changes.
Reporting and monitoring should be risk-based. As we said earlier in Some
tips on service level agreements, the provider should be providing regular risk and
control assessments, and action tracking of risk indicators, controls, incidents
and losses. An integral part of monitoring performance is regularly to re-assess
the risks within the relationship – at both management and operational level.
And, of course, you should constantly monitor the deal against the origi-
nal objectives in order to check that the transaction continues to meet your
requirements, which may themselves change over time.
Finally, if the provider is not carrying out functions effectively or in com-
pliance with regulatory requirements, you must be able to take action and put
things right. You will have rights of action within the SLA, but you must also
have in place an effective and regularly tested contingency plan to cope with
major disruptions or process failures (see Chapter 10, Business continuity).
Change
All outsourcing contracts will change. They are never static. After all, the
contract is probably for three to five years or longer. That does not mean jump-
ing about and over-reacting in month 1. No outsourced operation is perfect
from the start. There will be an efficiency dip in the first two to three months,
through inexperience and the additional checking required initially. After
that, regular monitoring should point to any aspects which require debate and,
if necessary, a change in the contract.
The governance team must be able to deal with change throughout the life of
the contract. Change control protocols are the administrative side of that. They
will form part of a ‘ways of working’ document, agreed at the outset, which will
also clearly state the goals and expectations of performance reporting and assess-
ment. The human side is that the team should be composed of people who are
open-minded and not wedded to the old ways of doing things.
264
M13_BLUN7323_01_SE_C13.indd 264 29/06/2010 09:53

13 · Outsourcing
Changes could relate to performance. But they could equally be about dif-
ferences of interpretation or changes in the environment for either buyer or
provider. So keep both the relationship and the contract up to date and make
sure the contract works for both parties and is flexible enough to cater for change.
Above all, document, document, document – throughout the duration of
the contract and immediately an event happens or a meeting takes place.
Offshoring
Because outsourcing is a partnership, there needs to be full collaboration
between buyer and service provider. That can be a particular challenge where
collaboration has to be with an offshore team, probably working within a dif-
ferent culture.
To make offshore outsourcing work as effectively as possible, you should
first make sure that you have a high quality local leader for the offshore team.
If you can then blend the offshore team with effective onshore specialists, the
benefits will be considerable and the risks much lower.
Part of that blending process is training. To be most effective, train the off-
shore team at the home office first, so that they can become trainers and leaders
offshore. They will understand and be able to transmit your values and culture
– and, of course, the training will give you a chance to understand theirs. The
more onshore people you can involve, the better. The whole team will become
ambassadors for the project and make it work.
Partnering in this way will also help to overcome the linguistic and cul-
tural barriers and risks which are all part of offshore outsourcing. People risks
such as these are a major element of offshore outsourcing and, apart from lan-
guage risk (both with the provider and involving local laws and professionals),
can include: different HR and employment law requirements; poor communi-
cations; different data protection requirements; or different ethical standards
regarding bribery. Many firms have suffered reputational damage when it has
emerged that their expensive products have been produced by ‘sweatshop’
labour. You need to establish in your SLA the standards you expect. In the case
of data security, that may be related to international standards, such as those
published by BITS or ISO 27001. In other cases you must spell out precisely
what your standards are and then make sure that monitoring them is part of
your regular monitoring and auditing process.
Finally, and inevitably when considering offshore outsourcing, there is cur-
rency risk. In 2008, for instance, the Indian rupee depreciated by over 23%
against the US dollar.8 Since most contracts with firms dealing in the dollar
will have been fixed in dollars, that represented a significant additional profit
to the Indian provider. Of course, that could work the other way, so where
contracts involve volatile currencies – and which currency is not volatile,
including the US dollar – one answer may be to include a clause which shares
profits arising purely from currency movements above a certain percentage.
265
M13_BLUN7323_01_SE_C13.indd 265 29/06/2010 09:53

Exit strategy
The SLA will provide for contingency plans to cope with serious problems
which arise during the term of a contract. However, there will be times when
the contract has to be terminated. There can be many reasons why it may
be necessary to exit the contract. Failure of the provider or failure to deliver
to the required standard or quality are the most obvious reasons. Action by
the provider which causes reputational damage can be another. Less easy to
predict – but something which should be monitored as part of regular risk re-
assessments – is the acquisition of the provider by a company which then
either sells it on or merges it with another within the group. That could well
justify and require breaking the contract and bringing a process in-house.
Within financial services it is a regulatory requirement that a firm should
be able to bring any outsourced activity back in-house. That means, as we
have seen above, maintaining appropriate resources, both trained people and
infrastructure, and having a clear plan to enable them rapidly to assume the
outsourced function. But all sectors must think about their exit strategy. If you
do not, you face the risks of becoming dependent on the provider, of losing
your negotiating power and of finding it difficult to move elsewhere.
You should also be able to exit for your own reasons and terminate with
reasonable notice under softer conditions than those resulting from breaches of
the contract by the service provider. That means being clear at the outset, and
in the contract, about:
OO the circumstances under which the contract may be terminated
OO how the activity can be brought back in-house (or passed on to a third
party)
OO who owns what assets, and
OO when compensation is due.
Above all, outsourcing is a partnership. If you have managed the relationship
as well as you should, even termination can be a collaborative operation.
Notes
1 Peter Haines, Outsourcing and business information: is anybody feeling sorry for the banks?,
www.complinet.com, 3 September 2008.
2 www.computerweekly.com, 17 April 2007.
3 John-Paul Kamath, Outsourcing ‘derailed by focus on ROI’, computerweekly.com, April
2007.
4 Elizabeth Knight, ‘Myths on outsourcing – week 2’ at www.articlesbase.com/
print/947426, 1 June 2009.
5 Joe Leahy and James Fontanella-Khan, ‘Outsourcing clients on the lookout for red flags’,
Financial Times, 22 January 2009.
6 For further commentary, see www.erconsultants.co.uk/ot/case_studies/gate_gourmet_
affair.
266
M13_BLUN7323_01_SE_C13.indd 266 29/06/2010 09:53

13 · Outsourcing
7 Bob Violino, ‘Outsourcing governance: A success story’, www.outsourcing.com,

21 March 2008; see also, same date and source, ‘Governance: A key to outsourcing suc-
cess’, also by Bob Violino, whose guidance is gratefully acknowledged.
8 Sarah Johnson, ‘Rethinking risk in offshore outsourcing deals’, Economist, 2 September
2009; www.economist.com.
267
M13_BLUN7323_01_SE_C13.indd 267 29/06/2010 09:53

M13_BLUN7323_01_SE_C13.indd 268 29/06/2010 09:53
14
People risk
Introduction
The people environment
Mitigating people risks
Succession planning
The human resources department
Key people risk indicators
269
M14_BLUN7323_01_SE_C14.indd 269 29/06/2010 09:53

Introduction
When it comes down to it, most operational risks are ultimately the result of
‘people’ failure, whether at a strategic, managerial or operational level. ‘Our
people are our greatest asset’, we read at the end of the Chairman’s or CEO’s
statement in the annual Report and Accounts. True. But just as risk is as much
about opportunities as threats, so our people are also ‘our greatest potential li-
ability’. Yet firms rarely consider people management as such as the key ele-
ment of their overall risk management.
There are two sides to people risk: employees and their managers. Take
employees first. People are essentially honest; they do not come to work to
defraud or to cause disruption. However, leaving aside risk factors such as indi-
viduals’ lack of competence, training and experience, there are many aspects of
their personal or domestic environment which will affect their reliability from
day to day, or even from minute to minute. Times of personal stress – unem-
ployment, bereavement, relationship break-up, health problems, threats to
income (many of which feed off each other) – lead to behaviour, even criminal
behaviour, which would be out of character in stable times. Because people’s
personal circumstances change from day to day, assessing exposure to people
risk is difficult. The skill is to manage effectively, rather than to assess accu-
rately, which brings us to the other side of people risk – managers.
To pressures generated outside work can be added those created by poor
management and organisation within the workplace: lack of clarity about what
needs to be done; too little time to fulfil tasks; too many tasks; the complex-
ity of tasks and work processes; lack of support from colleagues or technology;
unreasonable managers. All of these add to stress and unreliability and increase
risk. They are symptomatic of an organisation which doesn’t rate people man-
agement as a priority.
We accept that our people are not going to be with us ‘from cradle to
grave’. As Charles Handy has put it: ‘Organisations are never again going to
stockpile people. The employee society is on the wane.’1 But we need to ensure
that we retain the best people and that all perform to their best ability. If we
can create the right environment to achieve that, we will at the same time con-
siderably minimise our people risks.
The people environment
What do we mean by excellence?

The first step to creating the right people environment is to be clear about
the firm’s strategy and business objectives. Once those are established, the next
step is to identify the behaviours which will enable them to be achieved. Those
270
M14_BLUN7323_01_SE_C14.indd 270 29/06/2010 09:53

14 · People risk
behaviours – what we mean by excellence and good performance – will define

the firm’s culture. They will form the basis of the selection, appraisal and
reward systems which, as we shall see, are amongst the key controls of people
risk. But what will excellent performance look like?
As examples, key behaviours will almost certainly include teamwork and
providing high-quality services. Teamwork can be expressed through actions
such as: cross-function collaboration; collective responsibility; and group de-
cision-making. Providing high-quality services may involve: establishing
client relationships; responding to client demands; aligning contact with client
needs; monitoring client progress; and dealing with problems and complaints.
Having established the basic headings, we can then detail what constitutes
excellent behaviour or performance. For collective responsibility, for instance,
high performance might be described as:
‘Promotes and supports the decisions of the group even when these may
not fit with the priorities of his or her own function or sector and accepts
and encourages others to live out collective responsibility’.
High performance in dealing with client problems and complaints may be
described as,
‘Acts as a highly trusted adviser/counsellor and client confidant – not
only in good times – but also when things go wrong for the client.
Willing to go the extra mile – including “taking their part” to resolve dif-
ficulties or complaints.’
Key behaviours will also specifically include ethical behaviours, which are fun-
damental to all employee-related dealings and should be written down in the
staff handbook. As an example, in February 2005, the Worshipful Company
of International Bankers in the City of London published Principles of Good
Business Conduct, to which all its members subscribe:
OO ‘Act honestly, fairly and with integrity at all times in dealings with col-
leagues, clients, customers and counterparties
OO Observe applicable laws, regulations and professional standards
OO Manage fairly and effectively any conflicts of interest.’
As we shall consider in the next section, those behaviours have to run through
the DNA of the firm. Failure to establish an environment where teamwork
and collegiality is valued can mean that silos exist, within which unacceptable
behaviours are tolerated and which can lead to client dissatisfaction and seri-
ous reputation risk for the firm. Failure to monitor client progress and to react
immediately if there is a problem will usually lead not only to loss of clients,
but also to the costs of resolving a problem escalating in terms of both cash
and resource.
271
M14_BLUN7323_01_SE_C14.indd 271 29/06/2010 09:53

Leadership
The tone from the top
In a firm which has thought seriously about the behaviours it requires for
excellent performance at a firm-wide level, it is almost inevitable that senior
management will themselves ‘walk the talk’. There will be an environment of
trust, where people share common values, including a common approach to
risk, and work together in a culture of acceptable ethics and behaviours.
As is so often said, the tone of that culture, the ‘tune in the middle’, will
be set from the top, which is where, ironically, many of the biggest operational
risks in terms of impact can lie: a bad acquisition decision, losing the trust and
support of investors, lack of strategy or, if there is a strategy, failure to translate
it into an achievable operating plan. The CEO probably owns the biggest risks,
but risk registers often include the CEO only under the guise of ‘poor strate-
gic management’, an inadequate and broad risk category. This is to ignore the
specific risks mentioned above as well as other softer operational risks, such as
poor implementation of the business plan, poor communication both within and
without the firm, or loss of reputation, all of which lie at the door of the CEO.
If the CEO is assiduous in the attention he or she pays to the controls of those
risks, this will set a cultural and risk management tone throughout the firm.
Worse than poor strategic decisions, though, is a cancerous environment
where the CEO is complicit in dishonest and unethical acts. Or where only
the CEO appears able to make a decision, so that he or she is the sole reposi-
tory of what is happening in the firm. Or an environment in which bad news
is hidden: ‘the CEO wouldn’t like to hear that’ syndrome. So we don’t tell her
or him. There must be an atmosphere where staff feel able to criticise their su-
periors and where communication runs openly and freely up and down the firm.
Given the criticality of creating the right kind of environment, both to
improve performance and reduce risk, it is surprising how rarely the board, and
especially the independent non-executive directors, formally assess ‘the tone
from the top’, including taking soundings within and without the firm.
It doesn’t have to be complicated. An effective board, which does not
kowtow to the CEO, will keep factors like those under constant review and
take action including, if necessary, firing the CEO.
Openness and transparency

Good operational risk management depends on openness and transparency.
That cannot happen in a blame or closed culture. As we have remarked ear-
lier, blame is the enemy of understanding. One of the problems of operational
risk is that events or ‘near misses’ generally have to be reported individually
rather than through the financial reporting systems. As a result, many events
are not reported, which greatly diminishes the effectiveness of risk assess-
ment; or they get reported late, which can often result in a greater loss than
272
M14_BLUN7323_01_SE_C14.indd 272 29/06/2010 09:53

14 · People risk
might otherwise have been the case. So honesty and integrity lie at the heart
of operational risk management.
Human nature being what it is, people have to be in a position where the
benefit of reporting losses or problems is greater than the risk of hiding them.
As a first step, that may mean establishing a system where losses are reported
anonymously. In a sense that is an admission of failure. In a culture of trust,
reporting losses, problems and potential risks is encouraged and rewarded by
positive feedback. It may be possible to internally ‘reimburse’ financial losses
which are reported. In some firms, reports on ‘near misses’ can earn reward points
which can be translated into catalogue prizes at the end of the year. It may sound
strange, but if it means near misses are recorded, and incident and loss recording
enhanced, future risks can be avoided and the control environment improved.
In the airline industry, for instance, reporting is an accepted part of the
culture. Airline pilots are expected to, and do, report errors they have made
during flights, so that training or systems can be enhanced, and risks to safety
reduced. For them, risk reporting is part of a process of learning and contin-
uous improvement, part of an environment in which everybody’s views are
valued and they are encouraged to contribute to ideas to improve their own
and other people’s performance.
Effective management
The other aspect of communication within the firm is that from management
down. It also needs to be full and appropriate. Relying on some form of infor-
mal cascade only leads to the risk of rumour and gossip. On the other hand,
the overly stage-managed town hall style presentation can be met with cyni-
cism and lack of impact, as well as irritation. People are different, as are the
messages, so the medium has to be tailored to the message and to the audience.
That way the risk of non-communication will be avoided.
Throughout this book we speak of the need for people to be clear about
their objectives and their role and responsibilities as regards risk management.
As we have frequently pointed out, every member of staff is involved in oper-
ational risk management. Clarity of roles and responsibilities is a fundamental
part of the risk management framework. One of the benefits of this aspect of
good risk management is that clarity of roles and responsibilities is also key
to making people aware of their position and worth within the firm. Where
people can explain how they contribute to the organisation, they will make a
positive contribution to its performance.
Change and flexibility

Fundamentally, a good people environment will be one which encourages con-
tinuous improvement and is open to change and flexibility. Employees should
be encouraged to be creative and innovative and not allow work processes and
273
M14_BLUN7323_01_SE_C14.indd 273 29/06/2010 09:53

practices to be rigid, inflexible and stale – in other words unfit for purpose,
exposing the firm to more risk.
No firm is static any more than the external environment remains static. Firms
are always at some changing point of evolution and development – whether they
are growing or contracting. Growth may mean that the entrepreneur culture at
the outset has to be tempered by a more structured, control environment. The
original close-knit team gives way to a larger organisation which, for some, may
be uncomfortably bureaucratic. At a time of contraction, the effects of down-
sizing, restructuring and redundancy will have to be managed.
All these changes mean a changing operational risk environment and oper-
ational risk exposure which needs to be constantly re-assessed. From a people
risk point of view, a changing risk profile and risk environment may require
different skills being developed or brought in. It is management’s job to be
aware of changed conditions, and to be able to adapt quickly. In this way, risks
can be anticipated and their impact limited before they arise. Organisations
need to keep fit to remain healthy, just as do the people within them.
When the going gets tough

Since all types of risk – operational, credit, market, third party dependencies,
liquidity – tend to correlate on the downside, so that when one gets worse,
the others also tend to (especially operational risk), it follows that people risks
resulting from work and domestic pressures will be greatly exacerbated at
times of financial or economic crisis. Being able to adapt and to develop appro-
priate skills becomes even more important in times of crisis. That’s when you
find if you’ve developed the right people environment.
The temptation at times of economic trouble is to cut staff, cut training
and hope the storm will blow over. It may well be that staff have to be made
redundant, but losing trained and skilled people will undermine future com-
petitiveness and increase risk. It may be better to devote time to managing
people costs more efficiently, for example by: improving absence management;
being more rigorous with expenses; imaginative use of contractors, second-
ments, or flexible and part-time working.
In any case, have you established a clear enough picture of where you want
the firm to be in two or three years’ time to be able to assess the skills you will
need to get you through? And do you have an assessment process which identi-
fies those people with the requisite skills? They may not be the people doing
the best job today, but could be your salvation in the future.
274
M14_BLUN7323_01_SE_C14.indd 274 29/06/2010 09:53

14 · People risk
Mitigating people risks

Creating the right environment will do much to reduce people risks. After
that, the fundamental way of mitigating those risks is by effective controls.
Controls protect the firm from risk, but also help to protect people from them-
selves, especially when times are difficult.
But there are other elements of people risk mitigation beyond internal process
controls. To see them in their context, here are some typical people risk events,
their probable causes and the methods by which those risks can be reduced:
People risks and their mitigants Table 14.1

Risk event Cause Mitigant
Employee criminal activity; Lack of integrity, Environment
fraud; unauthorised dishonesty Selection
activity.
Errors Lack of competence Selection
Training/development
Lack of training Training/development
Poor process culture Environment
Appraisals/assessment
Employment law Lack of training Training/development
failures (hiring, firing,
discrimination, health and Lack of legal awareness HR policy and process
safety, etc). and knowledge
Poor people culture Environment
Poor (high-risk) business/ Inappropriate incentives Remuneration policy
transaction decisions
Incompetent staff Selection
Training/development
Autocratic top management/ Environment
lack of challenge Governance
Poor risk culture Environment
Risk policy and appetite
Labour relations failures Poor people culture Environment
Inexperienced managers Training/development
Selection
Loss (or lack) of personnel, Poor people culture Environment
talent Training/development
Retention
Inadequate remuneration Remuneration policy
Failure to recruit Selection
Loss of intellectual Poor people culture Retention
property Employment contract
275
M14_BLUN7323_01_SE_C14.indd 275 29/06/2010 09:53

Selection
People risk often starts at the beginning with selection and choosing the
wrong people. Poor selection leads to cost and wasted management resource.
Effective selection is an opportunity to add benefit to the firm.
Who do we want?
OO Go for fit rather than capability. If you really want to place a piece of grit
in the oyster because you know you’re about to embark on a period of
serious change and need somebody who will effect that change, fine.
Otherwise, consider behaviours and choose the person who fits your
culture, rather than the person who appears to tick all the boxes of exper-
tise and experience. You can teach people competencies, but you can’t
change personalities. Or as Peter Schutz, former President and CEO of
Porsche AG, has put it, ‘Hire character. Train skill’.2
OO Psychometric tests. They undoubtedly have value, especially if linked with
the excellent behaviours you identified at the outset, and can provide an
evidenced rationale for your selection decisions. But they should be an
aid to judgement, not a substitute. If your gut instinct contradicts the
test, go with your gut.
OO Recruit with one eye on the future. We are often too certain about what and
who we are looking for. Have we really thought about the future and
where the firm and the industry is going? The world and the firm will
change – and sooner than we may think or like. Another reason to go for
fit – and flexibility.
Who does the selecting?
OO The line manager. But does he or she have the skills necessary to inter-
view a potential employee? Do they have the technical knowledge of HR
policy and legislation? Is it clear what aspect of the selection process they
are dealing with? Too often, when HR is asked to draw up a contract for
a new employee, commitments emerge, which have been given by the
manager to the recruit, which diverge completely from the pay and ben-
efit structures around the firm. So take care about who plays what role in
the process and make sure they are clear about their role and the limit of
their authority.
OO Do you have a cadre of senior managers who understand the firm and
how it ticks and have proved their worth as good selectors? Develop
them into a panel to oversee all appointments over a certain level. They
will ensure that you select for fit.
276
M14_BLUN7323_01_SE_C14.indd 276 29/06/2010 09:53

14 · People risk
The process
OO Develop selection processes which attract and identify candidates with

high potential. Employment may not be for life, but nor is it only for the
immediate future or problem.
OO The process may include an outsourced recruiter. There’s nothing inher-
ently wrong with outsourcing aspects of selection. But if you do, make
sure the search firm thoroughly understands your business and doesn’t
just rely on the specification given. If it’s a first assignment – whether
for the firm or a particular department – at least the first third of the
recruiter’s time should be spent inside the firm, working from there
to get a clear understanding of its culture, as well as the assignment
itself. Only then can they go out to the market (the next third) and sort
through the candidates (the final third).
OO There is, of course, one other informal selection process, which goes back
to the comment about selecting for fit – that is referral, contacts or recom-
mendation. You may not have a current vacancy, but if you do come across
somebody that way, create a role to get them on board. As Henry Grunfeld,
co-founder of bankers S.G. Warburg & Co, once said: ‘Recruiting is like
buying a tie – you buy one when you see one you like; you do not wait
until you need one.’ The selection process can be imperfect enough.
Appraisals and performance management

Appraisals are a critical part of performance management. Performance should
be measured not just on achievement of financial targets but also on non-
financial behavioural criteria. Appraisals are the opportunity to reinforce the
excellent behaviours which will increase the firm’s chances of sustained success
and reduce its risks by confronting poor behaviours.
To do that, they have to be fair. Fair appraisals reduce the probability of a
number of people risks occurring or, if they do occur, being resolved at an early
stage and reducing their impact. We have already emphasised the importance
of trust to support a culture of honesty and openness and so improve risk man-
agement. Fair appraisals are part of that process of trust.
But how do we ensure that appraisals are fair? Compare them. Does the
department which appears to have a remarkable cohort of A individuals actu-
ally outperform the one which seems to be dominated by down-the-middle Cs?
It’s more likely that the appraisers are differently motivated than that the mix
of individuals is so divergent.
Do you genuinely check and analyse for gender or race bias? Once it’s
known you do, it will be surprising how quickly staff become confident in the
system and maverick managers are brought into line.
277
M14_BLUN7323_01_SE_C14.indd 277 29/06/2010 09:53

And are those above average scores really justified? Too often, when a
department head comes to HR to say that, for whatever reason, Mr X or Ms
Y has to be fired, they invariably find that the last couple of appraisals have
been glowing to the point of excellent. How strange that ‘good’ people become
‘bad’ when there are problems. Dishonest appraisals disproportionately increase
the cost of dismissal. If poor staff had been honestly appraised and identi-
fied sooner, when times were good, the costs of dismissal would have been
lower and recruiting a replacement would have been easier than it will be in a
downturn.
One reason for dishonest appraisals is that they continue, despite all the
rhetoric, to be an annual formal event. If so, they cannot provide a forum for
criticism which should have been made months before. We should be look-
ing at our staff – and our superiors – all the time and providing continuous
feedback so that the firm benefits from the resulting openness. That openness
will improve performance and develop potential, not just for the individual,
but inevitably for the firm as a whole. It should also mean that the formal
appraisal, when it comes, will contain no surprises.
From a risk management point of view, appraisals have a number of func-
tions. They are primarily the method of reviewing performance against agreed
targets. Since risks are threats to objectives, the firm’s or unit’s objectives
should form the basis of performance targets, both financial and non-financial.
Appraisals are a critical part of the risk control process and provide useful
indicators of overall people risk exposure. They are also a control on behaviour
and part of the process of maintaining a good risk culture. That is why they
should be validated across the firm to ensure consistency of this vital control.
360˚ appraisals, in which the appraisal involves everybody who has con-
tact with the person being appraised, whether above or below them, are
another way of reducing risk by reinforcing acceptable behaviours. However,
anonymity is hard to preserve and it can be difficult to keep 360° appraisals
honest. It all depends, as was highlighted earlier, on whether staff are encour-
aged to comment on and, if appropriate, criticise their superiors.
Finally, appraisals point to ways in which an individual can be developed
further, which may include training, to improve risk management or reduce
risk exposure. Staff are like diamonds; they require constant polishing.
Training and development

Just as objectives (and risks) lie at the heart of the appraisal process, so objec-
tives help to frame a firm’s learning and development needs and those of
individuals. What’s next on the agenda of the firm and therefore for the indi-
vidual? Appraisals, and the development needs identified from them, should
be linked to objectives and the behaviours needed to support them. Objectives
also form the basis of assessing the success of training and development. There
278
M14_BLUN7323_01_SE_C14.indd 278 29/06/2010 09:53

14 · People risk
is little point embarking on a training or development programme without

assessing whether it succeeded in what it set out to do.
Risk indicators are a critical part of risk assessment and can point to train-
ing and development needs. Table 14.2 gives a few typical examples.
People risks and indicators of training and development needs Table 14.2
Risk Indicator
Poor throughput Error rates; productivity
Employment law failures; discrimination Claims by staff
Loss of talent (through poor people Resignations of experienced/senior staff
management/culture)
Training and development may involve courses, but can also mean changes in
responsibility or environment. You never know when somebody will be miss-
ing. At a higher level, leadership should be developed within the firm. Firms
which don’t nurture their talent will see it leave to the competition, who have
spotted new opportunities. If development is switched off, firms will find
themselves with an even more desperate shortage of talent when it is needed –
whether for a downturn or an upturn.
But appraisals are not the only guide to personal development. The firm’s
objectives over the medium term will point to the skills required, so that a
skills audit should be regularly conducted to make sure the firm has a reservoir
of the right kind of both technical and leadership talent to fulfil its strategy.
Reward – or what does your bonus system say about your values?
Given the reams which have been written about the impact of remuneration
structures on behaviours which appear, to the public and politicians at least, to
lie at the heart of the recent financial crisis, it would be hard to consider people
risk without discussing reward and remuneration.
But before we deal with bonuses and the financial crisis, let’s establish a few
principles of good reward policies. At this stage it might be worth reminding
ourselves that reward is not all about remuneration. Remuneration – base pay,
variable pay, share options, other benefits – is the financial aspect of reward.
But there are non-financial aspects of reward which can be just as important to
employees: recognition; the opportunity to develop skills; career opportunities;
the quality of the work–life balance. They all form part of the overall reward
package and may be decisive in retaining a valuable employee – just one aspect
of people risk mitigation.
But to return to the core of reward – remuneration. Remuneration, like
appraisals, with which it is obviously closely linked, should reinforce the per-
formance and behaviours we require and discourage unwanted behaviour. It
279
M14_BLUN7323_01_SE_C14.indd 279 29/06/2010 09:53

should be based on what the firm considers to be good performance and help
the business achieve its strategic objectives, which should themselves be rooted
in sound risk management.
If remuneration is linked to performance targets which are closely allied to
business objectives, you will have gone a long way to linking remuneration
also to risk appetite. On an oil rig, managers are rewarded primarily for the
quality of their safety management. Hitting production targets comes second.
Remuneration both rewards and incentivises performance. It is not simply
a market wage. But it is also a balancing act between reward and risk. In
the recent financial crisis, did remuneration encourage ‘bad’ and overly risky
behaviour? Probably. But was that, in fact, the publicly visible reflection of a
poor risk management culture? Or even lack of any recognisable risk manage-
ment culture? They were both evidence of a remuneration policy which had
lost any connection with business strategy and objectives which were allied to
risk management, including especially the people risks within operational risk.
Nevertheless, a remuneration structure which was almost entirely fixed salary
based did not prevent the Japanese banking crisis of the 1990s.
These are all useful points to remember when we consider the guidance
which has emerged from governments and public policy makers in the wake of
the financial crisis. There are common themes and principles:
OO Remuneration policies should promote sound and effective risk manage-
ment and include a significant proportion of non-financial metrics in the
assessment process.
Of course remuneration should not encourage excessive risk taking. As
regards non-financial aspects, we have continually emphasised the impor-
tance of establishing the behaviours which will be rewarded, and not just
the achievement of financial targets.
OO An appropriate balance between fixed and variable remuneration should
be achieved.
From a firm’s point of view, the guidelines being proposed could see a shift
to a greater proportion of fixed pay, and a reduced incentive for executives
to drive for improved performance. Bonuses are not an evil in themselves,
but they should be used to drive non-financial behaviours and performance
as much as respond to the achievement of targets and profitability.
There is also a danger that the word ‘bonus’ is itself emotive. When
bonuses are ‘guaranteed’ they are simply an element of fixed remuneration.
OO Where a significant proportion of remuneration is in the form of a per-
formance-related bonus, the majority should be:
OO deferred for a minimum period (which will reflect the risks involved
in the transactions giving rise to the bonus)
280
M14_BLUN7323_01_SE_C14.indd 280 29/06/2010 09:53

14 · People risk
OO subject to claw-back (on the deferred element)

OO risk-adjusted, through quantitative criteria and human judgement,
and reflect all types of risk.
Deferring bonuses should help to discourage short-term risk taking. That
may run counter to investors’ drive for shorter-term performance, but
perhaps investors will have to get used to that for the greater long-term
good. Deferring bonuses certainly has the merit of aligning remuneration
to actual ultimate performance, with that performance based on the whole
range of judgements, including risk.
Incentives are intended to distort behaviour. As a result, they can be a
force for bad as well as good. In principle, awarding performance bonuses in
the form of shares should align reward with true shareholder value. But it can
mean that executives spend more time trying to manipulate the share price
than running the business properly and profitably. And even if peer groups
are used as the basis for stock allocation, the stock market, either at a point
in time or even over a period, is only a rough proxy for relative business per-
formance. That assumes, of course, that there is a genuine peer group.
Whether the guidelines will improve the quality of risk management remains
to be seen. They should, however, lead to longer-term incentive plans, which is
a step in the right direction. Traditionally, incentives have been too short-term.
That is partly because they tend to focus on things which are easy to measure
and tie in with the firm’s (usually) annual reporting cycle, whereas the effect of
an employee on the firm’s future performance is difficult to quantify.
However, in times of crisis it may be more appropriate to call on the reser-
voir of trust you have built up with your staff and revert to short-term plans.
At such times you need tactics rather than strategy. Longer-term plans can
come when times are calmer.
The final point made in the guidelines is that there should be greatly
increased public disclosure of the basis for remuneration. Of far more im-
portance from a people risk management point of view is that the internal cul-
ture of openness and transparency should extend to remuneration. People are
entitled to know the basis on which they and their peers will be remunerated
so that they see the process as being fair and open. There has to be differen-
tiation in pay, otherwise remuneration loses its power to incentivise good
performance and drive out bad behaviours. The reaction is often to shroud
remuneration in secrecy. The risk of upsetting people by paying them at differ-
ent levels is, however, dwarfed by the negative impact of being secretive.
Discretionary bonuses actually have limited real impact, unless they are
enshrined in a process structured around performance, and are unlikely to affect
the changes in behaviour which can lead to business success. When they are
not allied to transparent performance criteria and are announced in secret, they
simply foster distrust, the enemy of good management and good operational risk
281
M14_BLUN7323_01_SE_C14.indd 281 29/06/2010 09:53

management. Transparency would drastically rein in the manifest inequities of a

secret system which is not truly allied to all aspects of performance.
A clumsily managed or crudely applied remuneration policy risks losing staff
and may be seen as tolerating under-performance, under-rewarding people who
have behaved excellently or even of rewarding people who threaten to leave.
Flexibility is important, though. What counts as good performance in the
future may be very different from what counted as good performance in the past.
Finally, who polices remuneration and remuneration policies? Apart from
externals such as investors, the media and legislative committees – all of whom
seem reasonably ineffectual – there is, of course, the board and the remuner-
ation committee. Ensuring that their senior executives are in a top ‘quartile’ or
similar cohort means that inflation is built into the system and does little to
ensure that reward is genuinely linked to the performance criteria which reflect
the particular circumstances of the firm at a particular point of time. Boards
must tie remuneration back to performance criteria which are transparent. Not
only will that mean that excellence will justifiably and publicly be rewarded,
but poor performance, including that of the CEO, can be immediately dealt
with, again both justifiably and publicly.
Succession planning
Staff retention
The simplest form of succession planning is, of course, not to lose staff in the
first place. Retaining trained and experienced staff is a key to excellent risk
management. You cannot afford to lose both the commitment and the intellec-
tual capital of your best employees.
Since the human brain is the easiest way to carry information (and secrets)
out of a firm, you should look at how corporate knowledge has been developed,
documented and converted into intellectual capital. Has corporate knowledge
been compared with competitor knowledge to identify your intellectual as well
as your competitive advantage – and the risks if you should lose it? That’s one
strategy to reduce the risks which an ex-employee can cause either maliciously
or if, for instance, they can exploit their knowledge of your systems or strategy.
Employment contracts and gardening leave can get you only so far.
The opening of Heathrow’s new Terminal 5 in March 2008 was a good
example of how lack of a skills audit and failure to retain people with know-
ledge caused untold financial and reputational damage.
Another risk mitigation strategy to reduce the possibility of losing staff is,
wherever possible, the exit interview. It may be too late for the employee who
is leaving, but they may be able to give pointers which will help you retain
those who remain.
282
M14_BLUN7323_01_SE_C14.indd 282 29/06/2010 09:53

14 · People risk
Opening of Heathrow, Terminal Five (2008) Case study

When Heathrow’s brand new terminal opened, the state of the art bag-
gage handling system failed. To exacerbate the problem, critical baggage
handling staff were prevented from reaching their work stations because
of new security measures. What is less well-known is that British
Airways had gone ahead with a redundancy programme which antici-
pated that the system would work and took effect immediately before the
terminal opening. The result was that knowledge and experience which
would be needed perhaps only once in 20 years was unavailable just when
it was needed. A skills audit conducted with the redundancy programme,
together with realistic scenario planning, would have significantly
reduced the impact on BA’s finances and the reputation of both BA and
the UK in terms of industrial relations.
Your best employees will always be in demand. If you do not nurture your
talented people, they will leave for competitors who spot new opportunities
which may arise from destabilisation in the established marketplace. In the
end, the best risk control technique is a pro-active human resources policy
which seeks to create an environment in which people are valued, and there is a
strategy for retaining talented employees and for minimising the damage that
occurs when key people leave.
Succession planning beyond the crisis

But if they do go, can they be replaced? At its most basic level, in an appraisal,
you should be able to answer the question, who would replace you – and
when? In other words, have you developed your subordinates so that you are
effectively expendable? Or at least expendable in your present position. Of
course, if the system works properly, your superior should be in the same
happy state, with you pencilled in to fill their shoes. Which is another ques-
tion worth asking in an appraisal.
Whilst that may represent a robust succession plan for your job, it’s of little
use if the same person has been pencilled in to fill a number of gaps around the
firm. So, as senior executive, make sure you look across your area and have a
plan which will survive the loss of more than one of your key people. 9/11 was
a tragic example of firms losing a number of staff at the same time, just as they
might, albeit temporarily, with a virulent pandemic. And of course, keep the
plan under constant review. Almost by definition, it may need to be activated
at very short notice, whether from natural causes such as illness or even death,
or from the fact that a person or team simply resigns and walks out of the door.
283
M14_BLUN7323_01_SE_C14.indd 283 29/06/2010 09:53

Crisis management is generally as far as most plans go. A crisis plan is

fine, but a true succession plan should be a plan for the longer term, not just
an immediate crisis. Is the crisis replacement expected to be the permanent
replacement or merely a stop-gap? In any case, if somebody leaves, will the job
and skills required remain the same, or will a different organisational or skills
structure better reflect the firm’s strategy and objectives?
True succession planning involves drawing up a skills matrix, performing
a gap analysis and then acting on what it tells you. That may mean re-
thinking the firm’s medium-term strategy, or it may mean re-thinking your
view of current employees and whether they really are the best people in the
medium term. Succession planning is a classic control to minimise the risks of
a sudden absence of personnel.
The human resources department

Of course, we all know what HR does. They coordinate appraisals and organise
training courses. With luck, they may also sort out remuneration and selection
policies, fire people when managers can’t face doing it themselves, and above
all make sure firms don’t fall foul of an increasing tide of employment legisla-
tion. Those are all aspects of operational risk management, which should be
the responsibility of line management. If they are all down to HR, then HR is
being poorly used and people management is probably poor also.
HR is there to be the driver of good people management within the firm,
promoting good – and better – behaviours. It should be a critical friend to the
board by providing guidance and minimising reputational risk. In fact, HR
should be seen as one of the key risk management functions. We expect the
head of risk management to put in place a risk framework which will cover all
the standard risks. Do we ask the HR director to put in place a ‘people risk’
management framework? Perhaps we do not because, as with operational risk
management, managing people is ‘what we do’.
HR needs to ensure there is a strong HR strategy and policy, allied to risk
and business objectives, and that the policy is fully communicated and imple-
mented consistently throughout the firm. Like risk management, much of
people risk is delegated to line managers but HR is there to maintain over-
sight of the process.
Again like risk management, HR will only add value if it is in tune with
the firm’s commercial needs and objectives. It does not need to be a large
function. Indeed, in a well-run firm, it will not be because line management
operates good people management. But it should be central to a firm’s man-
agement. A good test is whether the HR director would be on the shortlist for
CEO or COO.
284
M14_BLUN7323_01_SE_C14.indd 284 29/06/2010 09:53

14 · People risk
That leads to one final question – does the head of HR have to be an HR

professional, or would a good line manager be able to do the job just as well?
Given the scale of financial and reputational risks of non-compliance with
legislation – employment, discrimination, health and safety and so on – it’s
probably best that they should have extensive experience of dealing with these
issues and with all the ramifications of hiring and firing.
Recruiting that kind of expertise to support a good, though HR inexperi-
enced, senior manager, could be an expensive option. If s/he is good, s/he will
be cheap, but if not, no matter how cheap, s/he will be expensive. However,
you may have the expertise in your in-house legal team or might choose to rely
on external advice when required.
The other side of the coin is that no head of HR is going to be a good head
of HR without a good knowledge of the business whose emotional health, in
the shape of its people, he or she is responsible for.
Key people risk indicators

If people are, as a category, a firm’s biggest potential risk, it’s fair to ask what
indicators are available to monitor that risk, and in particular to monitor the
constituent risks and their controls. When you look at the chain of cause and
effect, many indicators relating to process and systems risks and controls in the
end come back to some form of people risk. They tell you much about levels of
competence in the firm, as well as vulnerabilities, which may point to the need to
strengthen controls in the form of training or simply better people management.
But with people, it’s not just about competence as expressed, say, by IT fail-
ures. We need to dig into the softer environmental issues. Do we use staff morale
surveys? Or count the times the whistle-blowing hotline is used for significant
governance failures? Do we use human reliability assessments, of the kind used
in ‘safety critical’ industries such as nuclear or space? How do we monitor issues
such as stress or bullying and all those other critical, environmental factors?
We can aggregate the marks given in appraisals for the various be-
haviours mentioned earlier, and use them as a temperature gauge for whether
the firm as a whole is on target to meet its objectives or whether there are
certain behaviours which are not being met.
One good indicator of stress – or unhappiness with the working environ-
ment – is sickness.
The problem with sickness figures, as we shall see shortly with key staff
turnover, is that the raw number is not a good indicator. One of the prob-
lems with sickness in the NHS is that much of it relates to experienced and
dedicated staff whose conscientiousness means that they exhaust themselves, in
the face of lack of adequate support. So, as with all operational risk data, it is
essential to get beneath the headlines and discover the true cause.
285
M14_BLUN7323_01_SE_C14.indd 285 29/06/2010 09:53

Case study National Health Service (2009)

In August 2009, Steve Boorman published his interim report on the
UK’s National Health Service, NHS Health and wellbeing.3 In it he noted
that sickness absence in the NHS, at 10.7 days a year on average, was
greater than the public sector as a whole (9.7 days) and the private sector
(6.4 days). Reducing absence through sickness by a third would result in
a gain of 3.4 million days a year (14,900 whole-time equivalent staff) and
an annual direct cost saving of £555m.
More specifically, and related to risk management, hospitals with high
staff sickness, had poor patient satisfaction rates and higher MRSA rates.
The report concluded that reducing reliance on transient agency staff by
reducing NHS staff absence through sickness would lead to a consider-
able improvement in patient satisfaction and patient outcomes.
Looking at some of the people risk mitigants discussed above, we can see that
indicators concerning training and development can be developed: how many
staff have been identified with training or development needs? How many of
those needs have actually been fulfilled?
As with all indicators, the key is to get to quality rather than mere numbers
and to understand what the numbers are telling you. Staff turnover is prob-
ably the most common people risk indicator to appear on risk dashboards and
management reports. But staff turnover alone is a very blunt instrument. It
is not the number of staff, but the quality of staff leaving and the knowledge
and experience they take with them which is the issue, so do the turnover data
indicate loss of staff by experience and by appraisal grading? Is there a target
for turnover? In some areas, we might be concerned by turnover of, say, less
than six months. In a new project area, we might be devastated by the loss of
anybody in the team.
And what if we appear to be retaining more staff than we expect? Does that
reflect our excellent work environment and leadership – or are we retaining
staff who are below average, but who are being paid above the going rate for
their competence so that there is no incentive for them to leave?
Which brings us back to where we started – selection. If we choose the right
people; make sure they are clear about their role and the importance of their
job; give them opportunities to develop and learn; pay them according to clear
and transparent performance criteria which reflect the behaviours of the organ-
isation; give them regular feedback and dialogue with their superiors; and
make sure there is effective internal employee communication, we shall have
a successful business in which our people risks are being successfully managed
and mitigated.
286
M14_BLUN7323_01_SE_C14.indd 286 29/06/2010 09:53

14 · People risk
Good people management is good management is good operational risk

management.
Notes
1 Charles Handy, Beyond Certainty (London: Hutchinson, Random House (UK) Limited),
1995.
2 Quoted in Roger Steare, Ethicability (Roger Steare Consulting Limited), 2009, p. 72.
3 www.nhshealthandwellbeing.org
287
M14_BLUN7323_01_SE_C14.indd 287 29/06/2010 09:53

M14_BLUN7323_01_SE_C14.indd 288 29/06/2010 09:53
15
Reputation risk
What is reputation?
Stakeholders
Reputation and brand
What is reputation risk?
Valuing reputation and reputation risk
How can reputation be damaged?
A framework for reputation risk management
Reputation risk controls
Tracking reputation risk
Managing intermediary risk
It won’t happen to me: what to do when it does
289
M15_BLUN7323_01_SE_C15.indd 289 29/06/2010 09:53

What is reputation?
‘Good name in man and woman dear my lord

Is the immediate jewel of their souls:
Who steals my purse steals trash; ’tis something, nothing;
’Twas mine, ’tis his, and hath been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed.’
[Othello, III, iii, 155-161]
As ever, Shakespeare got it right. Iago may have been cynically manipulating
Othello, but he was right in the one key element of reputation – it is all about
perception. It exists in the minds of others, and you neither own nor control
their perceptions. Which makes it difficult to manage.
PR can get you so far, but any reputation has to be genuine and based on
reality. If the credibility gap gets too wide between what a firm does and what
those who deal with it expect, its reputation will suffer and its business will
inevitably decline. Reputation risk management is about recognising the size
of the gap.
People evaluate a firm’s reputation on the basis of available informa-
tion. Some of that information may be controlled by the organisation, such
as annual reports or marketing materials. Other information may take less
obvious forms: a customer’s experience of service; the opinions of customers
in general; staff surveys; the views of all kinds of commentators from parish-
pump gossip, to blogger, to syndicated journalist, to campaigning activist.
Reputation is a subjective, composite assessment resulting from a number of
factors, among which trust will be the key ingredient.
As Morgen Witzel has put it: ‘A reputation is, in effect, the combined ex-
periences that many people have of an organisation over time.’1 Those experi-
ences and perceptions are dynamic and change all the time. Often that change
is caused by the actions or attitudes of others. If your peers and competitors
raise their game, your relative reputation will decline. If one of them behaves
especially badly, your reputation may suffer through guilt by association. It
can also change in response to social and other trends affecting how key con-
stituencies, the reputational stakeholders, understand these actions. The
perception you thought you had given may turn out over time not to be the
one the stakeholder sees.
290
M15_BLUN7323_01_SE_C15.indd 290 29/06/2010 09:53

15 · Reputation risk
Stakeholders
The stakeholders are not just those with whom you deal directly. They include
others, such as regulators and opinion formers, who effectively have in their
hands your licence to operate. They not only influence your direct stakeholders
but also those who may potentially become directly involved with you and, of
course, they influence each other.
Typical stakeholders Table 15.1

Direct Licence holders – the influencers
Customers/clients Regulators
Employees Trade unions
Suppliers Opinion formers
Investors Broadcast, print and social media
Business partners Politicians

Political or other lobbyists
Consumer advocates
NGOs
Reputation is about meeting the expectations of all these people, many of

whom you may never meet. Whether it is good or bad depends on the com-
parison stakeholders make between how a company and its employees are
expected to behave and how they actually do.
Unfortunately, each stakeholder has a different expectation. So, if ‘a repu-
tation is no more than delivering on a promise’, as Sam Mostyn, Group
Executive, Culture and Reputation, for Insurance Australia group put it,2 it
actually means delivering on many promises. What your reputation is worth –
whether it is a help or a hindrance to you – depends on whether stakeholders
see and experience your business as rising above or falling short of expectations.
Just as stakeholders’ views change over time, so the groups of stakeholders
can change. They are interest groups which may come and go. If you wish to
build a new factory or office block, the local planning department may appear
as a stakeholder for the first and only time, together with local residents, who
may then remain as a critical group.
To complicate matters further, an individual stakeholder may be in a
number of groups. For example, an employee may also be, and commonly is
in financial services, a customer and an investor, and possibly a member of
one of the influencing groups. Stakeholders are a constantly moving target.
Reputation risk management is a slippery beast.
291
M15_BLUN7323_01_SE_C15.indd 291 29/06/2010 09:53

Reputation and brand

Is reputation the same as brand? Emphatically no. Reputation is about the
perception of stakeholders and in a broad sense is all about engendering trust.
That may be part of a brand, but the point about a brand is that the customer
experience leads to differentiation with rival brands.
There are obvious parallels. Reputation and brand are driven by values and
behaviour; both depend on experience. However, with brand, the customer
is key, whereas with reputation the customer is a sub-set of the stakeholders,
albeit a significant one. In the context of brand, customers are revenue gener-
ators, which is not true of all reputational stakeholders.
A strong brand can protect a company against intensifying price compe-
tition and help to protect its reputation. But brand alone will not protect a
company from all the reputational risks to which it is exposed. Brands do not
fully capture reputation, being more a sub-set of it. To understand this differ-
ence, we need now to look more closely at reputation risk.
What is reputation risk?

Reputation risk is the risk that a latent problem of reputation, typically of
public trust, will become an actual reputational problem. It is the skeleton, or
more realistically all the skeletons, in the cupboard. Following the definition
of reputation, it is the risk that the firm will act in a way which falls short of
stakeholder expectations.
Is reputation risk a risk in its own right? It is, in the sense that a threat to
its reputation has a direct effect on an organisation. But not, when we realise
that reputational damage is almost always a consequence of a risk event, usu-
ally an operational risk event, involving a failure to deliver products and
services as promised – to create a gap in expectations. Even if it is a second-
order operational risk, reputation risk is nevertheless a critical element of
operational risk management.
Valuing reputation and reputation risk

If you could insure against reputational damage you might be able to put a
price on it. But that’s not possible. As we saw in Chapter 11, insurance, like
reputation risk, depends on a cause. So insurance may cover the operational risk
cause of the reputation risk event, but not reputation risk itself. And of course
we shouldn’t forget the issue of moral hazard. If we can’t, then, look to insur-
ance, we must look to other means of measuring or valuing it – apart from the
libel courts, that is. But courts are notoriously volatile, partly because of the
292
M15_BLUN7323_01_SE_C15.indd 292 29/06/2010 09:53

very good reputation risk reason that reputation is in the mind of the stake-
holder and, for these purposes, a libel jury is a randomly selected group of
stakeholders, each with its own prejudices and backgrounds – and expectations.
We can look at various economic measures of the effect of reputational
damage – drop in sales, loss of earnings, changes in market capitalisation or
return on assets – but it is difficult to make direct correlations between these
and a perceived loss of reputation. There are too many assumptions and vari-
ables to make it meaningful. In any case, can behaviour and expectations be
measured in terms of money?
The simplest economic measure is probably the significant intangible,
goodwill, a key component of which will be reputation. For a service business
it may even represent its total value. As Alan Greenspan put it: ‘Manufactured
goods often can be evaluated before the completion of a transaction. Service
providers, on the other hand, usually can offer only their reputation.’ 3 But
goodwill can only be properly valued when a business is sold; even then, repu-
tation is just one of a number of factors in its valuation.
Another approach is to use a scorecard. Here again, the variables are many
and their weighting is notoriously subjective. As a basis for a scorecard,
many firms use the factors identified by Charles J. Fombrun, founder of the
Reputation Institute, shown in Table 15.2.
Harris-Fombrun model of Corporate Reputation Quotient Table 15.2

Drivers Attributes
Emotional appeal Good feeling about the company
Admire and respect the company
Trust the company
Products/services Offers high-quality products/services
Offers good value products/services
Develops innovative products/services
Stands behind its products/services
Vision and leadership Has excellent leadership
Has a clear vision of the future
Takes advantage of market opportunities
Workplace environment Is well managed
Looks like a good company to work for
Looks like it has good employees
Financial performance Record of profitability
Looks like a low-risk investment
Strong prospects for future growth
Tends to outperform its competitors
Social responsibility Supports good causes
Environmentally responsible
Treats people well
Source: Reputation Institute
293
M15_BLUN7323_01_SE_C15.indd 293 29/06/2010 09:53

Fombrun devised it as a ranking model, by which the Institute can assess and
report publicly either on the universe of companies or on those in a partic-
ular industry. It is therefore akin to a rating system. As such, it is possible
that it can be self-reinforcing and affect corporate behaviour. Firms will game
the system. But it does provide helpful questions with which a firm can self-
diagnose its perception in the eyes of its various stakeholders.
In the end, the measure of reputation risk is the gap between stakeholder
expectations and actual performance. The value of reputation is, funda-
mentally, the cost of risk, which is the cost of recovering the trust formerly
enjoyed. That cost can be considerable. A survey by Burson-Marsteller of busi-
ness leaders, journalists and financial analysts in the US, suggests that it takes
four years for a company to restore its reputation following a major incident.4
How can reputation be damaged?

The stakes for not getting it right are high. In a recent survey by
PricewaterhouseCoopers,5 reputation risk was seen as a key threat to success
and in a similar survey conducted by Aon,6 reputation risk was the most fre-
quently noted concern across all industries, and amongst the most serious
concerns, in terms of its impact, by financial services firms.
Table 15.3 Reputational problems and poor handling issues

Reputational problems Examples of poor problem handling
Difficulty in raising capital Poor investor relations
Losing key employees Not listening; poor internal communications
Losing suppliers and customers Poor marketing communications
An inability to access new markets Poor dialogue with licensing authorities,
customers and prospective customers
Litigation and more intrusive regulation Lack of control over operational risks
Some of the problems which arise if reputational issues are poorly handled are
given in Table 15.3. It requires a considerable amount of resource and effort
to restore the trust of the various stakeholder groups identified in that list. At
worst, loss of reputation can lead to the complete destruction of the business,
as in the Enron/Andersen case.
Sadly, for some firms, the comfort of a filtered version of reality is prefer-
able to the real thing. One of the greatest threats to reputation risk is what
might be called institutional conditioning, a culture in which the organisation
hardly knows it is moving the boundaries between acceptable and unacceptable
behaviour. Another description of it might be ‘ethical creep’. Or firms behave
badly, get away with it and so go on and do ‘it’ again. Of course, in the case of
294
M15_BLUN7323_01_SE_C15.indd 294 29/06/2010 09:53

Enron/Andersen (2001) Case study

Enron was founded in 1985 following the merger of two gas pipeline
companies. It thrived on the deregulation of the sale of natural gas in the
US in 1985. By 1992 it was the largest merchant of natural gas in the
US and, by 2001, it had become a conglomerate that both owned and
operated gas pipelines, pulp and paper plants, broadband assets, electric-
ity plants and water plants internationally. The corporation also traded in
financial markets for the same types of products and services.
In achieving this, Enron accumulated a huge mountain of debt. It
managed to hide this and report artificially inflated profits through a
complex web of special purpose entities and accounting treatments which
stretched the limits of accounting practice. Its audited statements were
famously opaque. Although it used derivatives to hedge its liabilities, the
hedges were predominantly with its own special purpose entities, so that
it was effectively entering hedges with itself.
The company failed to satisfy mounting concerns amongst analysts and
investors during 2001 and confidence collapsed after the announcement
of an SEC investigation into the company following accounting restate-
ments covering the previous four years of US$1.2bn, and the discovery of
a number of problematic transactions.
A sale of the company fell through and its paper was downgraded to
junk status. It filed for bankruptcy and sought Chapter 11 protection on
30 November 2001.
During the ensuing investigation, Arthur Andersen, its external audi-
tor, was discovered to have shredded tonnes of documents relating to its
audit of Enron. Andersen collapsed with the loss of around 80,000 jobs.
Operational and reputation risk issues
Enron:
OO A culture of fraud amongst senior executives at Enron
OO Complete lack of transparency with regard to investors and markets
OO Complex corporate structure, full knowledge of which was confined to
a very small number of senior executives
Arthur Andersen:
OO Authorising employees to shred incriminating documents destroyed
trust in it as an auditor and so destroyed the firm
OO Timing is often important – the damaging revelations about the
shredding emerged just before the audit renewal season
295
M15_BLUN7323_01_SE_C15.indd 295 29/06/2010 09:53

Enron, some senior executives knew exactly what they were doing. It has been
argued that institutional conditioning was at the root of the NASA Challenger
and Columbia space shuttle disasters.7 In the case of the Columbia disaster, there
was the added failure to learn the lessons of Challenger, perhaps another symp-
tom of institutional conditioning. NASA, in common with other firms – and
with UK Members of Parliament in 2009 – clung for too long to the belief
that its own interpretation of ‘acceptable behaviour’ was all that mattered.
Case study Columbia space shuttle disaster (2003)

The Columbia space shuttle disintegrated on re-entry into the earth’s
atmosphere on 1 February 2003 with the loss of all seven crew members.
The disaster was directly attributable to damage sustained at launch
when a piece of foam insulation the size of a small briefcase broke from
the shuttle’s main propellant tank, hit the leading edge of the left wing
and damaged the Shuttle’s thermal protection system.
During the flight, some engineers suspected damage, and wanted to
use imaging to investigate the state of the shuttle. Investigations were
limited on the basis that little could be done even if the problems were
found. The engineers were also thwarted in their requests for external
astronaut inspections.
NASA safety regulations stated that strikes by foam or other debris
were safety issues which should abort a flight, but flights were often
given the go-ahead despite foam shedding.
Earlier risk assessments had estimated the damage of small ice impacts,
the only impacts recognised as threats to the leading edge wing panels. It
was considered that impact from the less dense foam panels would be less.
The risk of damage from foam, despite engineering concerns, was reduced
from ‘possible complete penetration’ to ‘slight damage’ in the risk assess-
ment process.
Perhaps more significantly, the Columbia Accident Investigation
Board (CAIB) concluded that NASA had failed to learn many of the les-
sons of the Challenger disaster. In particular, the agency had not set up a
truly independent office for safety oversight, nor had it maintained a cul-
ture and organisational structure which gave sufficient weight to safety
issues. The CAIB believed that ‘the causes of the institutional failure
responsible for Challenger have not been fixed,’ and that the same ‘flawed
decision making process’ that had resulted in the Challenger accident was
responsible for Columbia’s destruction 17 years later.
The Challenger disaster led to shuttle flights being put on hold for 32
months. The Columbia disaster led to a further suspension of two years;
construction of the International Space Station was put on hold and
depended on the Russian space agency for re-supply and crew rotation.
296
M15_BLUN7323_01_SE_C15.indd 296 29/06/2010 09:53

Operational risk issues

OO Despite the Challenger disaster, a culture and organisational structure
and process remained in place in which safety was compromised in the
effort to maintain the launch programme.
OO Acceptance of design deviations as normal when they happened on sev-
eral flights and did not lead to mission-compromising consequences.
OO Failure to stress-test scenarios beyond actual past experiences.
OO Inadequate crew survival systems, which relied on manual activation.
Source: Based on Volume 1 of the CAIB report, http://caib.nasa.gov/news/report/volume1
In the cases of both NASA’s shuttle programme and UK parliamentarians’

expense claims, deep reforms and public humiliation were perhaps the most
obvious costs for those involved. At a higher level, both episodes carried the
greater, if less measurable, cost of lost public faith in institutions which had
been held in a position of trust which they abused. In operational risk terms, the
risk of loss of public trust resulted from a failure of the control of behaving in an
acceptable manner.
Assuming deception is not ingrained, where can it all go wrong? We might
expect business leaders to be most worried about hazards to reputation arising
out of events beyond their control. In fact, reputation risk is seen largely as a
product of business operations – at least in the shape of their performance or
non-performance. When asked by the Economist Intelligence Unit in 2005,8
international senior executives cited the following as their top reputational risks:
OO non-compliance with regulatory/legal obligations (66%)
OO exposure of unethical practices (58%)
OO security breaches (57%).
It is interesting that all of these (to which could be added failures in service
delivery, poor crisis management and failure to hit financial targets, which
were well up the list) were either wholly or to a great extent within their own
gift, and indeed responsibility, to control.
To those directly controllable reputational risks can be added behavioural
risks, such as:
OO accounting practices – are they appropriate and subject to truly inde-
pendent review?
OO corporate governance – is the board and its committees truly independ-
ent? are conflicts of interest properly handled?
OO discrimination – in all its guises
OO data privacy/protection
OO employee relations.
297
M15_BLUN7323_01_SE_C15.indd 297 29/06/2010 09:53

Then there are areas which are only indirectly under a firm’s control but may
at least be managed through dealings with third parties:
OO client’s clients
OO agents
OO partners, suppliers, outsourcers
OO subsidiaries, affiliates
OO regulators and regulatory actions,
or even third parties it does not wish to deal with, such as money launderers or
hackers.
Finally, there are external events which cannot be controlled, but which can
have a serious reputational impact, for example:
OO the activities of a few fellow industry members which can have an impact
on the industry as a whole
OO unwarranted allegations, whether supported or not.
A key point to remember is that reputation is damaged by perceived failures,
even if they are not grounded in fact. A firm can be punished not because of
any failure on its part, but simply because it is being held to the wrong stan-
dard or even to one of which it is unaware. If public expectations are simply
‘wrong’, because of factual misunderstanding or misinformation, you need to
take the initiative to redress this. A word of warning, however: managers of
many a collapsed brand have blamed public ‘misunderstanding’ for their own
demise. You may not find sympathy if you offer the public a rationale which
is deeply unpalatable, or seen as out of step with changing standards of accept-
able behaviour.
Given the myriad causes of reputation risk and its ever-changing nature,
how do we manage and mitigate it?
A framework for reputation risk management
Governance
Reputation risk is, at heart, a behavioural issue, both on the part of the stake-
holders and the organisation. You may remember the words of Professor
Mervyn King, which we quoted in Chapter 1, about the critical importance
of ‘the tune in the middle’. The point is not to hand down board initiatives for
reputation, but to ensure that everyone understands and lives up to the plain
truth that your firm’s reputation is in the hands of all your employees and
all those who act on your behalf. As they act in your firm’s name, people will
behave as they think appropriate. They will respond not to formal policies but
298
M15_BLUN7323_01_SE_C15.indd 298 29/06/2010 09:53

to ‘tone’; to the attitudes and behaviours of those around them, and those they
observe coming from board level. If those are ethical and open, then you have a
good chance that your employees’ and agents’ behaviour will be also.
The other reason why reputation management is in the hands of all man-
agement and employees is that, as we said earlier, the stakeholders are many
and various. In the Economist Intelligence Unit survey of international senior
executives quoted above, the question was asked: ‘Which of the following
have major responsibility for managing reputation risk within your company?’
Unsurprisingly, the top answer, with 84%, was ‘CEO/President/Chairman’.
There was then a sharp drop to 40% where we find: the board; CRO/Head of
Risk Management; heads of business units. And a further drop to 35% to find
the communications officer and compliance officer. Very surprisingly, when
the individuals were asked who in fact managed reputation risk, it emerged
that few of the executives surveyed took actual responsibility. There was no
formal reputation risk management process.
Perhaps that is because, although the CEO may personify the values and
conduct which ensure a company’s good standing, he or she should not have
the sole responsibility for reputation risk management. And nor should corpo-
rate communications for that matter. Responsibility should lie with whoever
is most responsible for the stakeholder group which may be affected by repu-
tational damage. Table 15.4 gives some examples:
Stakeholders and reputational relationship managers Table 15.4

Stakeholder Reputational relationship managers
Customers Business line
Customer interface Support functions, e.g. IT
Employees HR
Suppliers Procurement
Third party agents Appropriate business line
Investors Investor relations
Regulators Compliance
Press Press and public relations; corporate
Politicians Public affairs or CEO
Trade unions HR
The advantage of ascribing responsibilities for reputation across the firm is that
everybody takes the issue seriously. The danger is that each part of the firm
operates in its own silo. There needs to be coordination. Given the number of
areas which are directly involved in protecting a firm’s reputation, it is probable
that the CEO’s role – or better that of the board – is one of coordination.
299
M15_BLUN7323_01_SE_C15.indd 299 29/06/2010 09:53

Of course, the CEO or chairperson can single-handedly destroy a firm’s

reputation, either by conduct or speech. One of the most salutary examples is
probably Gerald Ratner.
Case study Gerald Ratner (1991)

In a speech at an Institute of Directors’ dinner on 23 April 1991, Gerald
Ratner, chief executive of Ratner’s jewellery group, his family’s business,
famously said:
‘We also sell cut-glass sherry decanters with six glasses on a silver
tray, the sort your butler would serve you sherry on, all for £4.95.
People say, “How can you sell this at such a low price?” I say,
“Because it’s crap.”’
He then compounded the felony by saying that some ear-rings were
cheaper than an ‘M&S prawn sandwich but probably wouldn’t last as
long’. The market value of Ratner’s group plummeted £500m, nearly
destroying it, and Ratner was forced to leave.
An interesting follow-up to the incident came from Ratner himself in his

book, Gerald Ratner: The Rise and Fall and Rise Again, where he pleads: ‘I had
worked bloody hard for 30 years, making millions of pounds for shareholders
and creating thousands of jobs for the company I loved, and I suddenly had it
taken away from me. Not for doing anything criminal. I hadn’t embezzled. I
hadn’t lied. All I had done was say a sherry decanter was crap.’ To which one
might say ‘Absolutely.’ If the gap between reality and perception is that great,
the result can be devastating.
Barclays Bank took this to another level in February 2004, when it insti-
tuted a reputation and brand committee, chaired by a Vice-Chairman,
reporting directly to the executive committee. It was prompted by the fact
that its image was still being affected by the student protests of the 1970s con-
cerning its involvement in South Africa. Other large companies, such as Credit
Suisse and HSBC, have established similar groups.
A committee like that can become the place to hammer out policy on such
issues as: a code of ethics; conflicts of interest; counterparties with which the
firm does not wish to be associated; and a code of behaviour within and with-
out the firm, especially if it operates in a variety of countries and cultures. It
will make decisions on policy and on conflicts, where a proposed transaction
may potentially contravene existing policy or guidance. If that kind of com-
mittee can be put in place, and supported by a reputation risk competence
centre, so much the better.
300
M15_BLUN7323_01_SE_C15.indd 300 29/06/2010 09:53

A proper governance structure will mean that everybody directly responsible

for reputation risk management has clearly defined roles and responsibilities.
Whether they are customer-facing or back office, they will have well-defined
criteria by which events can be assessed, supported by appropriate policies and
guidelines. They will also have a clear structure to identify and escalate issues
as they arise. And of course, the whole process should be regularly audited.
Identification and assessment of reputation risks

As reputation risk is an indirect effect of an underlying event, each risk identi-
fied in the risk identification process or risk register should be examined for
both the direct loss to the firm and the indirect loss which may arise through
damage to the firm’s reputation. This will show whether it will have a rep-
utation impact and which stakeholder groups will be affected. Identifying
stakeholders can be done simply, using a table such as Table 15.5. Identifying
reputation risk and new reputation risk stakeholders should also be considered
as a standard item during discussions on strategy, or about new projects or
products.
Using the risk register to identify possible reputation risks Table 15.5
Risk Employee Customer Suppliers Investors Agents Press Regulator
1
2
3
4
5
Once you have identified who might be affected, you can assess the likely scale
of reputation risk. Since that represents the gap between expectation and real-
ity, you first need to have a thorough understanding of the awareness of your
firm by all its various stakeholders. How well known are you? How much do
they trust you? How do they rate the quality of what you offer? What expec-
tations do they have of you? What promises do they believe you are making?
When something happens which may harm your reputation, the impact
will, in part, be affected by the goodwill you have with the relevant stake-
holder groups. So you need to establish a benchmark against which to assess
potential reputational damage. If you truly know what all of your stakeholders
are looking for in your business, you can reasonably assess whether the repu-
tational damage, if realised, is likely to be significant or not.
The best way to do that is to conduct surveys amongst your various stake-
holder interest groups. The surveys will establish not only your own reputation
but also how you compare with your competitors, since reputation varies as a
301
M15_BLUN7323_01_SE_C15.indd 301 29/06/2010 09:53

result not only of your actions but also of those of your competitors. The sur-
veys can take a variety of forms – face-to-face interviews, questionnaires, e-mails
– depending on how many stakeholders you have, how many of them are con-
sidered to be key, or how many you may need for a representative sample.
The next step is to establish your appetite for reputation risk, which is prob-
ably best done by establishing a scale of damage to measure the impact of an
event on your stakeholders. One example is given in Table 15.6.
Table 15.6 Levels of reputational damage (example 1)

Stakeholder reaction Trust damage
1 Disappointment Trust questioned – but recovered speedily
2 Surprise Trust dented – recoverable with time and good PR
3 Concern Trust diminished – recoverable at considerable cost
4 Disgust Trust severely damaged – never fully recoverable
5 Outrage Trust completely lost – not recoverable

Source: Garry Honey, A short guide to reputational risk (London: Gower), 2009
Another example, which is used in the banking industry (see Table 15.7)
focuses mainly on a number of key stakeholders such as customers, regulators
and investors.
Table 15.7 Levels of reputational damage (example 2)
Level Reputational damage
1 No external effect
2 No media coverage; increase in customer complaints
3 Limited local or industry media coverage; large scale customer complaints;
possible account closures; no negative effect on share price.
4 Limited national media coverage; large scale customer complaints; some
customer loss; informal regulatory enquiry; potential negative effect on
share price; possible senior management involvement.
5 Sustained national and limited international media coverage; serious
customer loss; formal regulatory investigation or enquiry; negative impact
on share price; senior management involvement.
6 Sustained negative national and international media coverage; large scale
customer loss; formal regulatory intervention and fines; significant effect on
share price; direct senior management/board involvement.
Source: British Bankers’ Association Global Operational Loss Database
The important thing is to establish a scale, involving your own key stake-
holders, against which to test both your risk appetite and potential repu-
tational damage.
302
M15_BLUN7323_01_SE_C15.indd 302 29/06/2010 09:53

Having done the groundwork, you can now revisit the risk register and
determine the likelihood of suffering reputational damage, the adequacy
of your controls and whether an event would be likely to exceed your repu-
tational risk appetite.
Using scenarios
A highly effective method of considering potential reputational damage is to
use specific reputation risk scenarios as an assessment tool. They could be one
or a combination of incidents such as:
OO loss of a licence
OO adverse media campaign
OO legal dispute
OO loss of employees’ trust (e.g. following a whistleblower event)
OO adverse perception of selected products and services by customers
OO investigation by the regulator and resultant publicity.
In building scenario outcomes, consider each stakeholder and how they inter-
act with each other, as we did during the exercise on identifying reputational
risks (see Table 15.5). What are the information flows between them as well as
the information flows between them and you? Consider the incident or inci-
dents against the background of your risk and control assessment. A control
failure which you identify in the scenario exercise may affect other risks other
than those directly related to the incident itself.
Either method – risk register or scenarios – will produce a hierarchy of repu-
tation risk events or scenarios, and point to an effective action plan.
As suggested earlier, the scale of possible reputational damage may well
not present itself solely as a financial number, although significant costs may
be involved in restoring a stakeholder group’s trust in the firm. Reputational
impact is difficult to assess, since the range of impacts is large and much will
depend on the true causes, whether the problem is systemic or individual and,
crucially, on the speed and effectiveness of response to the problem.
Reputation risk controls

Just as with the controls discussed in Chapter 4, Risk and control assess-
ment, reputation risk controls can be either detective or preventative. With
reputation risk, the best control is to manage expectations. Stakeholder sur-
veys are detective controls which not only provide a benchmark with which
to assess potential reputational damage, but also act as a basis for establishing
303
M15_BLUN7323_01_SE_C15.indd 303 29/06/2010 09:53

preventative controls to reduce both the likelihood and impact of reputation

risk events.
The corporate communications department is not the sole repository of
reputation risk management, but it nevertheless has a critical role to play in
managing expectations. Apart from press and similar communications, the
annual report can be a useful part in the process – or a source of reputation
risk, given the increasing need to articulate management of non-financial risks.
As was pointed out in Chapter 3, Governance, there is a reputational gain
in explaining the nature of risks which a company faces and the processes it
has in place to manage those risks. Against that, the prudent auditor may well
suggest that the important thing is to release into the public domain only that
information which has to be revealed, and to make sure it is relevant, reli-
able and accurate. Has the information been properly audited? Whatever is
released, however, it is important that there is a process which assesses the tone
of the reporting and its probable impact on stakeholder groups.
Tracking reputation risk

Reputation risk can arise, broadly speaking, in two ways: degradation of a
firm’s reputation over time; or its ability or failure to handle a sudden crisis
or catastrophe, whether or not it was the author of the crisis. Planning for a
crisis will come from working through scenarios and drawing up an appropri-
ate plan, as we show later (see It won’t happen to me: what to do when it does)
The threats to a firm’s reputation often come from the drip, drip of an
accumulation of small shifts in perception. A small event can be seen as symp-
tomatic of a wider malaise. Monitoring perceptions of a firm’s reputation is a
critical part of reputation risk management. So the surveys described earlier,
which act as controls when they are used to assess the changing perceptions of
stakeholders, are also indicators of changing exposure to reputation risk.
The surveys, including self-assessments, perhaps based on the Harris-
Fombrun reputation quotient (see Table 15.2), are ‘soft’ indicators of changing
reputation risk. It is difficult to refine these softer indicators down to pre-
cise financial measurement, but they do provide the means to an analysis and
index of reputation. If you can identify indicators for sources of greatest poten-
tial damage to reputation, you are then able to direct policies and resources to
manage these.
In today’s world of extensive social media, tracking what is being said about
you on the blogosphere is another important way of monitoring the views of
customers or of special interest groups. As we said earlier, your reputation can
be damaged not just by what you did but by what somebody says you did,
however unjust. Word travels far and fast on the Web, so you need to be in
304
M15_BLUN7323_01_SE_C15.indd 304 29/06/2010 09:53

touch with what is being said about you and be able to put in place appropri-
ate counter-measures.
Another aspect about the rise of social media – chat rooms, blogs, twitter,
YouTube and so on – is not just what outsiders say about you, but what your
employees say on them about you. Your employees hold your reputation in
their hands. We used to be concerned about an unguarded remark in the pub
or at a party. Now the risk is expanded through social media sites where it
reaches a much wider audience. Do you have a clear policy in the staff hand-
book for how employees can use these sites or what they may or may not say?
Have you established a tracking process to monitor what your employees are
publicly saying about you?
Apart from these ‘soft’ methods of tracking reputation risk, there are
numerous ‘hard’ indicators which may point to a changing reputation and can
be tracked over time. Amongst them are:
OO decline in revenues
OO decline in market share
OO difference between the market value and liquidation value of the firm
(effectively the movement in the value of goodwill in the firm)
OO number of customer complaints
OO number of product recalls
OO increase in regulatory attention
OO firm’s position on a publicly recognised reputation index.
But before dealing with what to do in a crisis, it’s worth looking for a moment
at relations with third parties.
Managing intermediary risk

One of the problems of reputation risk is that often your reputation effectively
lies in the hands of others, whom you cannot directly control. That is es-
pecially true of those who sell your products or services. An important control
here is to ensure that good quality advice is given to the customer to avoid
any risk of mis-selling. Whilst an intermediary is primarily responsible to the
customer, your reputation can also be damaged, however unfairly. It is the per-
ception which matters, whatever the truth.
The key is to engage in thorough due diligence before you take on an inter-
mediary, and then to make sure you continually review progress through
continuous dialogue and more formal reporting. The following checklist pro-
vides a useful list of topics.
305
M15_BLUN7323_01_SE_C15.indd 305 29/06/2010 09:53

Checklist Checklist for using intermediaries

Due diligence for new intermediaries
OO CVs of key individuals
OO professionalism, expertise and experience
OO business plan
OO financial standing
OO banking/credit control procedures
OO compliance procedures and controls, especially Treating Customers Fairly
(if appropriate)
OO complaints and analysis
OO press and advertising
OO product information and marketing strategies
OO remuneration strategies
OO business continuity plan
OO previous audits
Review of existing intermediaries

OO continuous review of most of the above
OO inaccurate or untimely reporting by intermediary
OO management information
OO business volumes
OO prospect types and volumes
OO business outside intermediary’s norm
OO business outside agreed business plan
OO cancellation rates
OO complaints – volume and analysis

OO audit
OO purpose: to enhance the intermediary’s performance and development
OO conducted by approved audit partners
OO consistent approach across all intermediaries
But it’s not a one-way street. The intermediary also has a reputation to protect
and needs to ensure that any interaction with the product provider does noth-
ing to harm it. The following is a checklist for intermediaries.
Checklist Checklist for intermediaries

The initial due diligence will be complementary, but in addition:
OO Does the provider provide clear product information and training?
OO What do customers say about interaction with the provider?
OO What does the industry say about the provider?
306
M15_BLUN7323_01_SE_C15.indd 306 29/06/2010 09:53

OO New products – what is the product design process: focus groups, stress
testing, product training?
OO Where has the provider had problems in the past and were they rectified
speedily and satisfactorily?
One point common to both checklists is that the results of both due diligence
and ongoing review should be clearly documented. For the intermediary it is
especially important to document why the provider’s product has been chosen.
As with all aspects of reputation risk management, this is not only about
the down-side. Where providers and intermediaries work together, their repu-
tation can be enhanced.
It won’t happen to me: What to do when it does

Reputation risk management is different. Dealing with a reputation risk event
is not the same as activating the business continuity plan we considered in
Chapter 10, although it may be part of it. That is because reputation is in the
mind, whether it is the mind of the public, the media or any other constitu-
ency. The reason for the problem may be operational, and that can be fixed,
but reputational damage is a separate effect, with potentially far more expen-
sive consequences, which must be treated separately – and fast.
The news media no longer reports on a daily basis. Journalists are required
to file stories instantly, through blogs and websites, leaving less time than ever
to think and challenge a version of events. It is a sad truth of modern com-
mercial news media that journalists now have little, or even no, time to check
a given version of the ‘facts’.9 News journalists are not specialists. And yet they
shape the agenda, often by framing the charge in the court of public opinion.
Unfortunately, in that court, lawyers are of little use. The lawyer’s advice to
‘admit nothing’ is at best irrelevant, and at worst can significantly harm your
business value. By all means retain lawyers for legal advice, but do not make
them your first source of counsel on crisis communications matters.
In a crisis, when there is the threat of catastrophic loss of trust, you have
limited time to start communicating. If you leave a vacuum, other organisa-
tions and stakeholders will assert their own agendas and write a script for you,
which will rarely be flattering. At a time of crisis, all parties involved will
engage in a contest to stake a claim to ownership of the debate or issue, to
‘frame the dialogue’. It is up to you to frame the debate. A good example was
the Democratic presidential primary campaign in 2008. The Obama team suc-
cessfully framed the debate about Hillary Clinton, the clear front runner, and
used unprecedented means – the Web, text messages – to get their message
307
M15_BLUN7323_01_SE_C15.indd 307 29/06/2010 09:53

across. Another aspect of this approach is to polarise the debate. ‘Only an

unreasonable person would disagree with us’, or ‘if you’re not for us you’re
against us’, as George W. Bush did on the ‘war on terror’.
However, if you can at least communicate quickly, the chances are that
those running the business may get stakeholders to give them the benefit of
the doubt, granting some valuable extra time to exert control over the under-
lying problem. The worst thing executives can do is to be afraid to speak to
the media or make any public pronouncement in case their words are misinter-
preted or taken out of context.
So what do you say, when you’re in the eye of the storm? Be transparent. Be
truthful. Tell it all and tell it quickly. Media stories can come from whistle-
blowers and malicious tip-offs. Companies that keep silent often become the
subject of rumours and speculation. What are they trying to hide? The longer
it takes to deal fully and openly with a problem, the greater the impression of
foot-dragging, while a series of forced disclosures keeps the issue in the media
longer. The Perrier contaminated water case is a good example of how not to
do it.
Case study Perrier (1990)

In February 1990, 160 million bottles of Perrier mineral water were
withdrawn from the world market when abnormal traces of benzene were
found during testing in the US. The problem led to a charge against
earnings of over US$200m.
Although Perrier returned in France one month later and to the US
after four months, its reputation took a severe dent from its previous high
level. This was mainly as a result of failures of reputation management at
the time the crisis occurred.
Reputation risk issues
Initially, little information was made available to consumers, although
Perrier UK set up a 24-hour helpline.
Response to the crisis was not managed as a global issue, but by local
companies, so that the message was not consistent. Statements from dif-
ferent divisions were contradictory and conflicting, with the media on
occasions being given incorrect information.
The lessons to be learnt from the Perrier case are:

OO don’t hide the truth
OO be straight with the media (because your employees will be if you’re not)
308
M15_BLUN7323_01_SE_C15.indd 308 29/06/2010 09:53

OO recognise where trust lies and don’t breach it (contamination was the
worst possible crisis to afflict a brand associated with natural purity.)
OO make sure you have a coherent and consistent communications policy.
And above all, don’t make light of the seriousness of the situation or imply
that ‘these things happen’.
Deal with the problem as quickly as you can and follow the 3 Cs10� shown in
Table 15.8.
The 3 Cs of reputation risk communication Table 15.8
CONCERN Acknowledge something has gone wrong

Accept responsibility
Apologise
Express regret and concern
Offer remedies
COMMITMENT Commit to fixing the problem
Explain in detail what you’re going to do
CONTROL Show that leading figures in the company:
– are in control of the situation
– are working to make sure it won’t happen again
A classic example of how to deal with a reputational crisis was Johnson &
Johnson’s handling of the reputational problems arising from the Chicago
Tylenol murders in 1982. It demonstrated all the qualities of speed, concern,
commitment and control.
Johnson & Johnson and the Chicago Tylenol murders (1982) Case study
The Chicago Tylenol murders occurred when seven people died after con-
suming capsules of Extra-strength Tylenol for pain relief. The capsules
had been laced with potassium cyanide.
Since the capsules had been manufactured at different factories, it was
evident that sabotage during production could not have occurred.
Reputational risk response
The first death occurred on 29 September 1982. Johnson & Johnson, the
parent company of McNeil, immediately distributed warnings to hospi-
tals and distributors and halted Tylenol production and advertising.
On 5 October, Johnson & Johnson issued a nationwide recall of all
Tylenol products – some 31 million bottles with a retail value of over
US$100m.
309
M15_BLUN7323_01_SE_C15.indd 309 29/06/2010 09:53

The company also advertised in the national media for people not to
consume any products containing Tylenol.
When it was established that only capsules were involved, they offered
to exchange all Tylenol capsules for solid tablets.
Remember your own employees. They are key stakeholders and crucial advo-
cates in defining your reputation. So make sure they’re involved in the
communications exercise from the start.
As to who does the communicating, you should ideally provide one spokes-
person, with one message, certainly in dealings with the media. Otherwise
there is the danger of mixed or conflicting messages which will only make the
situation worse.
Equally important is to make sure that whoever appears for you knows what
they’re talking about. Accept that for some purposes a line manager simply
will be a better communicator than the chairperson, although the latter should
be seen to be involved.
Certainly, the board will want to be kept aware of, and possibly involved
in, the strategy for responding to a crisis of reputation. But the most impor-
tant thing is to keep an eye on the various stakeholders, and to communicate
with each of them in the way they would most expect and appreciate, prefer-
ably through the relationship manager (see Table 15.4). Any reputation crisis
plan should ensure that crises are tackled by the appropriate person in the firm,
with a consistent message, and soon.
Finally, it is a fact of life that in the court of public opinion you have no
right to remain silent – although anything you say may, and probably will, be
used against you. You must answer the charges as presented, however unrea-
sonable. The court of public opinion also operates a harsher regime than a
court of law: you are guilty until you can prove you are innocent. Sentencing
and punishment, in the shape of public vilification, starts immediately.
Regarding the Enron case discussed earlier, Andersen eventually won its battle
in the legal courts. But by then the clients had long since deserted, and the
firm and its reputation were destroyed; the legal victory was hollow.11�
Let Shakespeare have the last word:
‘The purest treasure mortal times afford
Is spotless reputation: that away,
Men are but gilded loam or painted clay’.
(Richard II, I, i, 177-9)
310
M15_BLUN7323_01_SE_C15.indd 310 29/06/2010 09:53

Notes
1 Morgen Witzel, The terrible cost of reputational loss, Financial World, July/August
2009, pp. 53–55
2 Quoted in Stuart Fagg, Reputation risk management beyond the spin, Risk, 18 August
2006.
3 Commencement address at Harvard University, 10 June 1999.
4 Alison Maitland, Barclays banks on a good name, Financial Times, 19 February 2004,
p. 11.
5 8th annual CEO survey, PricewaterhouseCoopers, 2005.
6 Aon, Global Risk Management Survey, 2007.
7 See Diane Vaughan, The Challenger Launch Decision (Chicago and London: University of
Chicago Press), 1996.
8 Economist Intelligence Unit white paper, Reputation: Risk of risks (London: EIU), 2005.
9 Nick Davies, Flat Earth News, 2006.
10 The 3 Cs themselves are fully discussed in Judy Larkin, Strategic Reputation Risk
Management (Basingstoke: Palgrave Macmillan), 2003.
11 Tim Prizeman, Director of PR advisers, Kelso Consulting, in Internal Auditing,
December 2008, p. 33.
311
M15_BLUN7323_01_SE_C15.indd 311 29/06/2010 09:53

M15_BLUN7323_01_SE_C15.indd 312 29/06/2010 09:53
Resources and further reading
Chapter 1 What is operational risk?

Peter L. Bernstein (1998) Against the Gods, New York: J Wiley & Sons.
Michael Power (2009) Organized Uncertainty, Oxford: OUP.
Chapter 10 Business continuity

Tony Blunden and Tim Landsman (2003) The Business Continuity Lifecycle,
Complinet, www.complinet.com.
British Bankers’ Association and KPMG (2003) A Guide to Business Continuity
Management, www.bba.org.
British Standards Institute, BS 25999-1: Business Continuity Management: Code
of Practice, 2006; BS25999-2: Specification for Business Continuity Management,
2007.
Business Continuity Institute website: www.thebci.org
Chapter 12 Internal audit

Institute of Internal Auditors website: www.iia.org
KPMG Audit Committee Institute website: www.kpmg.co.uk/aci.
Chapter 13 Outsourcing

The Outsourcing Institute website: www.outsourcing.com
Outsourcing Leadership website: www.outsourcingleadership.com
Chapter 15 Reputation risk

Garry Honey (2009) A Short Guide to Reputation Risk, Farnham: Gower
Publishing Limited.
313
Z01_BLUN7323_01_SE_REF.indd 313 01/07/2010 13:53

Index
accounting information 13–14 biases 91, 177–8, 182–4

action plans 22, 23, 70, 88–90, 125 bimodal distributions 161
actions 60, 105, 132–3 blank sheet of paper approach 118
activities, business 66, 72, 74–5, 100–2, board of directors 18, 46–8, 55–6, 68, 82
206–7 bonuses 280–2
activity maps 69 boundary issue 11–12, 134
amount of loss 49–50, 104–5 brand 292
anchoring 182–3 British Airways (BA) 252, 258, 283
appraisals 277–8 budgets 92, 208
Aquinas, T. 5 business activities 66, 72, 74–5, 100–2,
Arthur Andersen 294, 295, 310 206–7
assumption of risk, proactive 13 business case 208
assumptions business continuity 31, 199–213
modelling 151–2 governance 202–3
scenarios 184 maintenance and continuous
assurance, independent 39, 40, 41, improvement 213
229–31 plan 209–13
asymmetry of information 218–19 testing the plan 210–13
audit 14, 228–9 policy statement 202
external 229, 231–2 and risk management 201
strategy 206–9
internal see internal audit
threat and risk assessment 204–5
audit committees 56, 229, 232, 239–41,
business critical activities 204
242
business environment 185
risks and risk indicators 240–1
business impact analysis 203–4
audit cycle 235
business lines 57–8, 100–2, 178
availability bias 177, 182–4
three lines of defence model 39, 56–7,
average 80
228–9, 231
business objectives 7, 44–5, 66, 68–9,
back-testing 80 72, 74–5, 178
Balfour Beatty 45–6 business optimisation 26, 33–4
bar charts 137–8 business processes 66, 72, 74–5
Barclays Bank 300 continuous improvement 188
Barings Bank 4–5, 6, 112 business support functions 47–8
Basel Committee 8–9, 27, 100–1, 102, business units 47–8
107, 147, 149, 150, 180, 186 buy-in 18–19, 24
behavioural risks 297
Bernoulli, D. 7 capability 257
Bernoulli, J. 17 capital markets 224–5
314
Z02_BLUN7323_01_SE_INDX.indd 314 29/06/2010 09:52

Index
capital requirements 54–5, 161–2 core functions 251–2

modelling 162–6 corporate culture 10, 11, 21, 26, 39, 42,
captive insurance companies (captives) 44, 47, 55, 259, 270–4
222–3 corporate governance codes 6
catastrophe bonds 14, 224–5 correct or improve actions 105
causal analysis 104, 108 corrective controls 85, 124, 165–6
causes/triggers 71, 74 correlations 157–8
chain of causality 15, 16, 69, 74 costs
insurance and 216–17 evaluation and insurance 220–1
Challenger space shuttle disaster 4, 296 and outsourcing decision 250–1
change 264–5, 273–4 coverage, insurance 218–19
chief executive officer (CEO) 57, 100, credit risk 11–12, 59
131, 181, 209, 210, 229, 272, crises 274
282, 284, 299–300 crisis management 283–4
chief financial officer (CFO) 98, 229 reputation risk 307–10
chief risk officer (CRO) 57, 59, 229, scenarios 189–90
242, 299 crisis management team 181–2, 210
claims made policies 221 culture, see corporate culture, risk culture
codes of corporate governance 6 currency risk 265
colours 19–20
Columbia space shuttle disaster 296–7 dashboard reporting 125–6, 141–2, 143
commitment 309–10 data
common scenario outcomes 186–7 attributes and events and losses
communication 19, 131, 241 99–106
business continuity 206–7, 212, 213 cleansing 159
reputation risk crises 307–10 completeness 111–12
company name 99 consistency of external data 112
compatibility 259 infrastructure 206–8
competence 257 lost 98–9
compliance 88, 134 problems in combining external and
compliance function 58–9 internal data 158–61
concern, in reputational risk quality 112, 132, 152–3
communication 309–10 security 258
confidence levels 161–2 timeliness of 114
consequences see effects/consequences dates 102–3
construction industry 45–6 Datini, F. 216, 220
consulting 238–9 decision making 187–8
contingency planning 176–7 defensive approaches 187–8
see also business continuity dependency, chain of 258
control, in reputational risk description, event 103
communication 309–10 design of a control 61, 86–7
control failures 60, 74, 104, 108 detective controls 85–6, 124, 165–6
control owners 70, 82–3 deterministic approach 190, 192–5
controls 60, 70, 108, 124–5 direct hard events 96
design 61, 86–7 direct loss 78
effectiveness 92 direct soft events 97
identifying 83–8 directive controls 85, 124
modelling 164–6, 167–8 disclosure requirements 27
reputation risk 303–4 discovery-based policies 221
see also risk and control assessment distributions 157
315

Index
documentation 212, 213 Gate Gourmet 258, 259

due diligence 305–7 geographic regions 73
glossary of terms 43, 60–1
effects/consequences 71, 74 Goldfish 248–9
chain of causality 15, 16, 69, 74, goodwill 293
216–17 governance 22–3, 26, 27–8, 37–63
Enron 100, 294–6, 310 business continuity 202–3
enterprise risk management (ERM) operational risk management
10–11 framework 22–3, 39–42
ethical creep 294–6 operational risk policy see operational
evaluation of providers 256–7 risk policy
events 14, 22–3, 28–9, 61, 69, 95–114 outsourcing 262–3, 264
categories 96–7 reputation risk management 298–301
chain of causality 15, 16, 69, 74, standards and modelling 155–7
216–17 stress testing and scenarios 179–81
combinations of 182 timeline for implementation 62
data attributes 99–106 governance team 262–3, 264
nature of 96–9 gross (inherent) risk 76
use of 108–10
using major events 114 Harris-Fombrun model of Corporate
see also losses Reputation Quotient 293–4
excellence 270–1 head of internal audit 241–2
executive operational risk committee head of operational risk 59–60, 98
56–7
heat maps 50–1, 80–1
exit strategy 266
Heathrow Terminal 5 282, 283
expected likelihood/impact 77
historic data 178–9, 185
expected losses 48, 49
human resources (HR) department
external audit 229, 231–2, 240
284–5
external data 158–61
hypothetical data 185
health warnings 111–13
external events 8, 9, 298
external loss databases 110–13 immediate actions 105
extreme events, preparing for 187–8 impact (severity) 61, 77, 78–81, 85–6,
Exxon Valdez oil spill 4 183–4
components 78–9
facilitated sessions 90 importance of a control 88
fat tails 160–1 incentives 134, 280–2
financial services 5–6, 11–12, 27 inclusive modelling approach 155–7
flexibility 273–4 independence 229–30, 232
follow-up 91 independent assurance 39, 40, 41,
framework, see operational risk 229–31
management framework, independent controls 83
reputation risk management indicators 22–3, 26, 29, 61, 71, 109–10,
framework 115–26
frequency (likelihood) 61, 77, 78, 79–81, action plans 125
85–6, 183–4 benefits 29
KCIs 117–21
gains 98 KPIs 117–18
gaps, data 158 KRIs 52–3, 116, 117–21
316

Index
leading and lagging 124–5 key risk indicators (KRIs) 52–3, 116,
people risk 279, 285–7 117–21
periodicity 123–4 King, M. 18
and risk and control assessments King Report 6
119–21
targets and thresholds 121–3 lagging indicators 124–5
leadership 272–3
indirect hard events 96
leading indicators 124–5
indirect loss 61, 78
Lean management 26, 33
indirect soft events 97
Leeson, N. 4–5
industry-based information 177, 186
legal risk 9, 44
information asymmetry 218–19 levels
infrastructure 206–8 firm levels and risk appetite 47–8
institutional conditioning 294–6 risk and control assessment 66, 68–9,
insurance 31–2, 84, 160, 215–26 74–5, 83
alternative risk transfer mechanisms likelihood (frequency) 61, 77, 78, 79–81,
222–6 85–6, 183–4
buyer 217–18 limits of exposure 14
buying 217–21 ‘living wills’ 189–90
carrier 222 Lloyd’s of London 177, 186
and chain of causality 216–17 location 100, 206–7
coverage 218–19 London bombings 2005
evaluation 220 lessons 205
mapping 219–20 loss capture form 106
operational risk and 216 loss distribution approach (LDA) 149,
types of policy 221 151–5
integrated risk management 187 losses 22–3, 26, 28–9, 61, 72, 87,
intermediary risk 305–7 95–114
internal audit 39, 58, 93, 227–43 actual losses and near misses 97
audit committees see audit committees amount of 49–50, 104–5
and consultancy 238–9 back-testing impacts and likelihood 80
effective 241–3 data attributes 99–106
and external audit 231–2 direct and indirect 78
independent assurance 39, 40, 41, expected and unexpected 48–9
229–31 external loss databases 110–13
and risk management oversight 233–4 loss event types 102, 103
number of 53–4
role of 234–9
reporting 107
internal data 158–61
reporting threshold 107–8
internal measurement approach (IMA)
role appetite in relation to actual loss
147–9, 151–5
experience 49–50
interviews 91 scenarios and loss numbers 177–8
investigations 239 use of 108–10
see also events
Johnson & Johnson 309–10 losses discovered policies 221
losses occurring policies 221
key control indicators (KCIs) 117–21 lost data 98–9
key people risk indicators 279, 285–7
key performance indicators (KPIs) Macmillan, H. 200
117–18 major events 114
317

Index
management, effective 273 boundary issue 11–12

management information 118–19 chain of causality 15, 16, 69, 74,
mapping 219–20 216–17
market risk 11–12, 59 defining 8–10, 42
marketing 26–7 difference from other classes of risk
Maxwell, R. 16, 100 12–15
measurement of operational risk 15–17 and ERM 10–11
mechanical and point-of-time approach evolution 4–6
178 head of, see head of operational risk
mitigation 84 and insurance 216
see also controls; insurance measurement of 15–17
modelling 20, 22–4, 26, 30, 92, 145–71, and objectives 27
176 outsourcing and transforming 248–9
benefits 30 operational risk appetite 20, 27, 42,
capital modelling 162–6 43–55
confidence levels 161–2 defining 43–4
distributions and correlations 157–8 expressing 49–55
inclusive approach 155–7 and risk tolerance 45, 46
previous approaches 147–55 operational risk environment 22–3
problems in combining internal and operational risk management 15–34
external data 158–61 benefits beyond the framework 31–3
qualitative modelling 166–71 benefits of getting it right 27–31
monitoring business optimisation 26, 33–4
outsourcing 264 challenges of 17–22
reputation risk 304–5 framework 22–4, 39–42, 67–8, 96
motivational bias 177–8, 182–4 as a marketing tool 26–7
mutual insurance companies (mutuals) timeline for implementation 62
223–4 operational risk policy 27, 42–61, 67–8
glossary 43, 60–1
name of firm 99 operational risk appetite 42, 43–55
Napoleon’s army 4 roles and responsibilities statement
NASA 296–7 42–3, 55–60
National Health Service (NHS) 286 operational risk tolerance 45–6
near misses 61, 97 organizational culture 259, 270–4
net (residual) risk 76 outsourcing 32, 247–67
news stories 181 benefits 32, 249–51
non-compliance 134 decision 249–52
numbers 19–20 exit strategy 266
governance 262–3
objectives/goals managing the project 262–5
business objectives 7, 44–5, 66, 68–9, minimising failure 252–3
72, 74–5, 178 request for proposal 253–4, 255
outsourcing 252–3 risk assessment 253–4
offsets 98 selecting the provider 255–60
offshoring 265 service level agreements (SLAs) 253–4,
ongoing review 305–7 260–2
openness 272–3, 281, 308 transforming operational risk 248–9
operational risk 3–24 overconfidence bias 182
318

Index
oversight 39, 56–7, 228–9, 231, 233–4 quantitative governance standards 156–7
owners 81–3 quantitative risk assessment 77
control 70, 82–3 questionnaires 91
risk 70, 81–3, 133, 168–9
Railtrack 252
partition dependence 182 random words 185
people risk 8, 9, 19, 32, 265, 269–87 ranges vs single figures 79–80, 88
appraisals 277–8 ranking of risks and controls 169–71
HR department 284–5 Ratner, G. 100, 300
indicators 279, 285–7 RBS 248–9
mitigating 275–82 recoveries 98
people environment 270–4 recruitment 276–7, 286
reward 279–82 regulatory risk 9
selection 276–7, 286 relevance of reporting 130–1
succession planning 282–4 remuneration 237, 279–82
training and development 278–9 reporting 21, 22–3, 26, 30–1, 107,
percentages 79, 87 129–43
performance of a control 61, 86–7 basic principles 132–5
performance management 277–8 benefits 30–1
periodicity 123–4 and blame or closed culture 272
Perrier contaminated water case 74, 308 common issues 130–2
pie charts 136–7 internal audit 237–8
Piper Alpha oil platform 4, 6 linking model data and reports 163–4
planning 252–3 outsourcing 264
people risk 273
audit 235
relevance 130–1
business continuity 209–13
report definition 135–6
testing the plan 210–13
styles and techniques 136–40
policy 202, 234–5, 251
threshold 107–8
Potters Bar train crash 252
timeliness 133
power infrastructure 206–8
reputation 290–2
preventative controls 85–6, 124, 164–5 and brand 292
pricing 30, 257–8 damage 74, 294–8
Principles of Good Business Conduct 271 valuing 292–4
priorities 235–7 reputation and brand committees 300
probabilistic approach 190, 191, 196 reputation risk 9, 32–3, 179, 265,
process maps 69 289–311
process risk 8, 9 appetite 48, 302–3
processes controls 303–4
business processes 66, 72, 74–5 crisis management 307–10
operational risk management 42 managing intermediary risk 305–7
provider, selection of 255–60 risk appetite 48, 302
provisions 92 risk management framework 298–303
tracking 304–5
qualitative data 131–2 request for proposal (RFP) 253–4, 255
qualitative governance standards 155–6 resourcing 237
qualitative modelling 166–71 responses
qualitative risk assessment 77 choosing the best 206–8
quantitative data 131–2 triggers 205
319

Index
retention of staff 282–3 roles and responsibilities statements

reverse stress tests 189 42–3, 55–60
reward policies 279–82
risk 7, 61 Sarbanes–Oxley legislation 229, 232
risk appetite 43, 92, 111, 188 Satyam Computer Services 257
operational 20, 27, 42, 43–55 scaling 112–13, 158
reputation 302–3 scenarios 18, 22–4, 26, 61, 110, 173–96
risk assessment 76–81, 204–5 applying to operational risk
outsourcing 253–4 management data 190–6
reputation risk 301–3 auditing 230
risk categories 73 benefits of scenario analysis 29–30
risk and control assessment 18, 19, 22–3, crisis management 189–90
26, 65–94 developing 181–7
action plans 88–90 governance 179–81
aims 66–7 insurance 219–20
applying scenarios to data from 190–6 preparing for extreme events 187–8
avoiding common risk identification problems with 177–9
traps 70–5 rationale for using 176–7
basic components 69–70 reputation risk 303
benefits 28 risk and control assessments and 72,
conducting 90–2 92, 176, 185
and stress testing 175
events and losses 108–9
typical problems following scenario
example 88, 89
development 188–9
identification of indicators 119–21
scorecard approach 150–5
identifying controls 83–8
scores, levels of 79, 87
and indicators 119–21
selection 276–7, 286
internal audit 235–7
self-assessment 90
modelling 166–71
self-insurance 225–6
owners 70, 81–3 senior management 46–8, 272
prerequisites 67–9 service level agreements (SLAs) 253–4,
reasons for going wrong 93 260–2
risk appetite using 50–2, 92 severity see impact (severity)
risk assessment 76–81 shading 140
scenarios and 72, 92, 176, 185, 191–5 Shakespeare, W. 290, 310
using 92–3 shareholder value 78
risk culture 18, 34, 38, 44, 57, 111, 187, shareholders 46–7
238 sickness 285–6
risk drivers 72–3 single figures vs ranges 79–80, 88
risk events see events Six Sigma 26, 33
risk identification 70–5, 301 social media 304–5
risk management 5–6, 201 spidergrams 51, 52
oversight 39, 56–7, 228–9, 231, staff retention 282–3
233–4 staff turnover 286
risk owners 70, 81–3, 133, 168–9 staffing 206–7
risk register 70–1, 301–3 stakeholders 291, 292, 299
risk themes 72–3 surveys and reputation risk 301–2
320

Index
status 237 tone from the top 18, 38, 272

strategic risk 9, 44–5, 66, 74–5 tradeability of operational risk 14–15
strategy 206–9 training 154, 213, 265
stress tests 12, 24, 72, 110, 173–96 and development 278–9
principles for 180 transaction-based risk 13, 14
reverse stress tests 189 transition process 263
and scenarios 72, 175 transparency 272–3, 281, 308
see also scenarios tune in the middle 18, 38
succession planning 282–4 two-dimensional line charts 139–40
sustainability 260 Tylenol 309–10
systems infrastructure 206–8
systems risk 8, 9 unexpected likelihood/impact 77
unexpected losses 48–9
target risk 76 utilities 206–8
targets 121–3
terminology 43, 60–1, 131 validation of thresholds 123
third parties 298
intermediary risk 305–7 Walker Review 56, 239
review of risks and controls 90 weather derivatives 225
threats 204–5 weighting of cells 159–60
three-dimensional reports 138–9 workshops 90–1
three lines of defence model 39, 56–7,
World Trade Center 9/11 terrorist
228–9
attacks 16, 200, 224
thresholds 121–3
worst case 80
time periods 78, 79, 87
timeframe for scenarios 177
zero risk appetite 45–6
timeline 62
Titanic 4
321

The Mastering Series
9780273708063 9780273714859 9780273709787
9780273704447 9780273730330 9780273724544
Practical
Comprehensive
Essential
Available now from
http://www.pearsoned.co.uk
9780273719298
AD.indd 1
Z02_BLUN7323_01_SE_INDX.indd 326 25/6/10 09:48:16
29/06/2010 09:52

Mastering Operational Risk by Tony Blunden John Thirlwell PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mastering Operational Risk by Tony Blunden John Thirlwell PDF

Uploaded by

Copyright:

Available Formats

MASTERING MASTERING

MASTERING OPERATIONAL RISK

on the boards of a number of banks and insurance

Visit our website at

Visit our website at

CVR_BLUN7323_01_SE_CVR.indd 1 19/7/10 13:03:17

A01_BLUN7323_01_SE_FM.indd 1 29/06/2010 09:53

Under a range of leading imprints, including Financial Times

To find out more about Pearson Education publications, or tell us

A01_BLUN7323_01_SE_FM.indd 2 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 3 29/06/2010 09:53

First published in Great Britain in 2010

© Pearson Education Limited 2010

British Library Cataloguing-in-Publication Data

Library of Congress Cataloging-in-Publication Data

All rights reserved; no part of this publication may be reproduced, stored in

Typeset in 11.5/13.5 pt Garamond by 30

A01_BLUN7323_01_SE_FM.indd 4 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 5 29/06/2010 09:53

Part 1 Setting the scene 1

1 What is operational risk? 3

2 The business case for operational risk management 25

Part 2 The framework 35

A01_BLUN7323_01_SE_FM.indd 7 29/06/2010 09:53

4 Risk and control assessment 65

5 Events and losses 95

A01_BLUN7323_01_SE_FM.indd 8 29/06/2010 09:53

Part 3 advancing the framework 127

9 Stress tests and scenarios 173

Part 4 mitigation and assurance 197

10 Business continuity 199

A01_BLUN7323_01_SE_FM.indd 9 29/06/2010 09:53

Business impact analysis 203

12 Internal audit 227

Part 5 Practical operational risk management 245

14 People risk 269

A01_BLUN7323_01_SE_FM.indd 10 29/06/2010 09:53

Succession planning 282

15 Reputation risk 289

Resources and further reading 313

A01_BLUN7323_01_SE_FM.indd 11 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 13 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 14 29/06/2010 09:53

We are grateful to the following for permission to reproduce copyright

A01_BLUN7323_01_SE_FM.indd 15 01/07/2010 13:43

A01_BLUN7323_01_SE_FM.indd 16 29/06/2010 09:53

A01_BLUN7323_01_SE_FM.indd 17 29/06/2010 09:53

setting the scene

1. What is operational risk?

M01_BLUN7323_01_SE_C01.indd 1 29/06/2010 09:52

The road to operational risk

M01_BLUN7323_01_SE_C01.indd 3 29/06/2010 09:52

The road to operational risk

Dateline: Moscow, 19 October 1812

Dateline: Kennedy Space Center, 11.39, 28 January 1986

Dateline: Piper oilfield, 58º28N 0º15E, 22.00, 6 July 1988

Dateline: Barings Bank Boardroom, 23 February 1995

M01_BLUN7323_01_SE_C01.indd 4 29/06/2010 09:52

M01_BLUN7323_01_SE_C01.indd 5 29/06/2010 09:52

M01_BLUN7323_01_SE_C01.indd 6 29/06/2010 09:52

What do we mean by operational risk? Test 6

Defining operational risk

Definition Operational risk